Ask Security Guru Dave Dittrich About DDoS Attacks

Yes, this is the University of Washington Dave Dittrich behind the software the FBI is trying to get you to use to help find the people doing the massive DoS attacks that have made headlines all over the place. Learn more about Dave and check out the info about the current brou-hah-hah on his home page, then ask away. We'll send the 10 - 15 highest-moderated questions to Dave Friday evening, and post his answers as soon as he can get them to us in between answering questions from mainstream media types who, as you can imagine, are all over him right now.

Nelson: Ha Ha!!!

Ohh sorry looooser.

But we do have a parting gift for you.
Tell him what he's won Vanna.

Vanna: It's a lovely statue of Natalie Portman and a lifetime supply of grits. That's right now you Mr. Coward can enjoy aberrant sexual practices in the comfort of your own little shack.

silly troll

please save sodomy trolling for the weekend.

O.K. Computer

How did you become interested in computer security... by hacking into systems?

somthing to ask

Do you think that other people would do a Denial of Service attacks on Microsoft?

Re:somthing to ask

Yahoo doesn't have internet II backbone. MS does.

Re:somthing to ask

[turbodog42]

I was talking just yesterday with a person who was familiar with MS's public Internet connections and architecture. It is highly distributed, with huge data centers all around the world, with sophisticated load balancing and failover. From what he said, it seems like an effective DoS attack on the high-traffic portions of MS's web presence would be very difficult. Then again, I ASSUME that Yahoo is highly distributed and well load-balanced and they were taken down all the same.

Why no source for find_ddos?

I'd like to run the find_ddos tool on my solaris box, but it would obviously require root (to search everywhere) and I'm not willing to run a 'black-box' binary as root on my machine... Is there any particular reason why source code is unavailable for this tool?

Re:Why no source for find_ddos?

Source is here.

Re: Please provide find_ddos source code

The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. Thank you for contacting us. NIPC Watch and Warning Unit nipc@fbi.gov

Re: Please provide find_ddos source code

The NIPC has determined that it is important not to release the source code publicly. We do, however, have measures in place to help ensure that the executable on our website is not compromised. Thank you for contacting us. NIPC Watch and Warning Unit nipc@fbi.gov

OK Campers, Here's a riddle

Who has a newly formed security firm in need of a customer base?
Who has the most to gain with all the knee jerk from DoS attacks?
Who just got 10M in seed capital to ramp up operations?
Who has the best brains on the planet when it comes to DoS and exposing little know security exploits?
Who boasted on national TV that they could do this?
Who is about to launch a campain to sell a scanner to prevent and defend against DoS attacks
Who is the premier firm for information concerning DoS and general exploit tools?
Who has the mantra of making business security aware through embarrasement by publicly showing exploits?

Give up? @Stake, (aka L0pht) thats who, seems obvious to me.

Posting as AV for obvious reasons.

Re:OK Campers, Here's a riddle

the L0pht were a company before forming @stake, and they were consulting before @stake. If they wanted to drum up business, they would have done it before they were so high profile. the l0pht did NOT do this

find_ddos usage

Don't try to run find_ddos while in X, or you might lock up your system.

Re:Overdone media coverage

OUCH! My eyes!:>

Seriously, I beleive it's the folks over at L0pht and not the evil feds. Seems like a perfectly logical marketing plan to me.

What a beautiful troll...

I do like it.

Re: Please provide find_ddos source code

You're being anal-retentive.

Let it out.

Then flush.

This will blow over (ie Who cares?)

This whole thing is overblown, as it will go away in due course all by itself.

The reason is that stacheldraht/TFN/etc rely on hijacking various machines to act as agents to flood the intended victim. This does as much damage to the 'agents' networks as the intended victim. Do you think the 'agents' will stand for this very long? I don't.

In fact there's one really simple solution to this entire problem: I could stop ALL DDoS attacks tomorrow by making a worm which would crash any vulnerable Solaris/Linux box. Even if no one makes this hypothetical worm, those boxes will end up crashed anyway from all the trinoo clinets on them.

The real question is why some people are using this as a publicity stunt.

what will the FBI do when you catch the perpetrato

When you catch these guys, is there any chance you'll pour hot grits down their pants? Thank you.

Feds are looking for a 31337 whipping boy.

I'm sorry, but disrupting the net is hardly worthy of longer term punishments than what people get for armed robbery, assault/battery, rape, attempted murder, etc. where real lives are threatened and real physical injury results.

No one will die because because a web site was down for a few hours.

This is not to say that these h4x0rz should get off with a warning either. But long jail terms? Siezure of all assetts upon mere accusation of cracking (h4x0rz aren't dealing drugs and ruining lives here)? Millions in fines (that don't go to the victims anyway)? No. That's overdoing it.

Re:Feds are looking for a 31337 whipping boy.

A man who commits suicide because he was fired because the company couldn't afford him because they lost too much revenue and a competitor took over the business would die.

Re:illegal?

This is the question _I_ really want answered. Why is it any different than farmers driving their tractors to DC and clogging up the highway? Or flushing all the toilets in school at once. Prank? Yes. Annoying. Yes. But criminal? Ok, if they hack into the computers of companies A, B, and C in order to plant these programs so they can attack company D later, I can see charges related to the first 3 break ins, but is the attack itself illegal? What if I and a 1000 buddies get our modems to start calling the same pizza delivery store over & over again at the same time because I was upset with my last pizza?

Mystery Hacker or Government Looking for Capital

Most of the major media players are reporting that this attack was initiated by an individual or group of (hackers|crackers|script-kids). 2600 and a few other (mostly "underground") sites have reported that this attack closely follows a government request for more money to persue "cyber-(intruders|crime)." If one believes this is more than a coincidence, then one couldn't help but consider (at least for a second) that the government could be initiating these attacks to bring cyber-crime into the public eye.

One might then look at the response to the recent attacks by the Attorney General's Office and the FBI. Compare their recent response to that of a slightly older incident (the DoS that UUNet/Semaphore.net/Oz.net/others? felt about a month ago), and it is leaps and bounds ahead of that. I don't remember seeing one word from the FBI regarding the UUNet incident. Granted the public becomes more aware of such incidents when large scale sites such as Yahoo are attacked, but maybe the government's response to Yahoo and co. seems (falsely?) extra valiant.

Also consider that Attrition allegedly received an anonymous letter claiming responsibility for the attacks. In this letter, the author claims there were insiders in each of the target companies (what their role was in the attacks wasn't clear to me). It also claimed that the reason for the attacks was to decrease the targets' stock value. Uh oh! Stock manipulation! Big Crime! Better use every available resource within the FBI to go after those eveil hackers. Don't forget that we're now talking about conspiracy, too. Maybe the government (or piece of the government) wrote the letter to give themselves a reason to spend all available resources tracking the attackers down. Then, when they don't find the attacker(s), they can make the claim that all of their resources weren't enough. The obvious solution is to increases their budget...

Okay, so I like to be suspicious. It keeps me on my toes, and it's kind of fun.

What are your thoughts on the hypothesis that the government is attacking these websites to bring publicity to the subject of online crime and gain public support for an increased "cyber-budget?"

Re:Why exactly should the average citizen care?

"Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect."

As soon as an EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL corporation kills six million people, I'll be interested in your opinion on the subject.

Re:Why exactly should the average citizen care?

Sorry to break this to you kid, but the internet is not anything new. Its been around for over 30 years now.

Personally, I was ftping/telnetting/gophering to sites around the world 15 years ago.

Re:Who can fix this, hardware people or software?

Why are you even asking about ethernet chipset makers? Ethernet is layer 2, we are talking layer 3 and above here... it doesn't really matter what medium below IP you are running on.

Anyway, you question doesn't really have an answer, sure routers could drop spoofed packets and network admins could get rid of them too, but if it's distributed, isn't the intent to make each computer that is connecting appear as if it is just a regular user surfing away? There is no protection against that except through virus detection programs.

Re:Why exactly should the average citizen care?

Oh no, poor little Yahoo/CNN/Amazon/Buy.com might "lose" (in this context lose=not gain) a few million (like they'd miss it anyways).

I'm _sure_ that those companies would be assisting the FBI without any hesitation if the tables were turned and it was _my_ PC that was hacked/DoS'd.

My answer to you is if you like any of these companies and the FBI, go ahead and help. I won't have any part of it though. Why should I take time out of my day for these guys?

Besides, didn't your mommy teach you that its not nice to be a tattle-tale?

Re:I was hit with this - what's wrong with Yahoo!?

That's unusual. Isn't there a mechanism in place to disable a network outlet that has been using too much bandwidth in the residence halls? A few years ago, one of my friends lost access for a short period of time (less than half an hour) because he was playing around with MBONE in Schlag, and routing several multicast video streams onto his subnet was causing a problem...

SPOOFING IS NOT A FLAW!

Argh! Please stop spreading this nonsence. If get people to start filtering source addrs at borders you will break a lot of legit uses (this coming from the guy with a cable modem, ADSL, and a ISDN channel). Please don't do this.
The solution is to get people on fat pipes to care if there systems get horribly hacked.

IPv6 does *NOTHING* to stop 'spoofing' and stoping it would do nothing for this type of attack, sure they couldn't send with odd ball source addresses, so it would be faster to stop. But the hacked computers are the real problem.

This is like the public blaiming the internet for child porn.

Who is really at fault?

Couldn't Smurf DoS attacks be prevented entirely if everybody with high-bandwidth access to the net used a decent firewall, or otherwise configured their network not to respond to broadcast ICMP from outside the network? Don't those that are doing a poor job at network administration share some of the blame for this, perhaps to the extent that a class-action civil suit could be launched against them? Are the "hackers" in this case actually doing us a favor, by bringing to light a long-known weakness of the internet? Finally, in answer the the question "how do they profit from this"... the stock of some of the firewall companies such as WatchGuard have shot up 50% in the last week. Wouldn't that give the firewall manufactures a pretty powerful motive for having perpetrated these attacks in the first place?

Re:Recognizing DoS

We need to be more specific about what kind of DoS we're talking about. Source-address blocking IS effective against Smurf, but not against SYN flooding; especially SYN flooding with quasi-random source addresses.

In fact, as far as I know, Smurf could be easily stamped out if everybody cooperated. Is there any defense against SYN flooding concurently from several compromised hosts?

"enough compromised clients"

"enough compromised clients" is the key phrase here; if a site can handle 10,000 concurrent users, then we've got a REAL problem if somebody can compromise 10,000 clients.

However, I can imagine that all ISPs filtering outgoing source addresses would be a big help.

Re:"enough compromised clients"

[lakdjfalkdj]

Sure, you could probably have 10,000 hacked sites. Just think of all the millions of Internet users, now think of all those millions of Internet users having a 24/7 high speed Internet connection. :)

Re:"enough compromised clients"

[elegant7x]

"enough compromised clients" is the key phrase here; if a site can handle 10,000 concurrent users, then we've got a REAL problem if somebody can compromise 10,000 clients.

You forget the computing power of the clients. If each can open 100 network sockets (and I don't see why they wouldn't) you would only need 100 hacked systems. I know a guy who accidentaly left full read sharing on his mp3 directory, and ended up serving 98 users. You could probably push them even farther then that.

Amber Yuan (--ell7)

Re:Why exactly should the average citizen care?

Boy, this has to be one of the dumbest things I've seen in a long time.

Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect. Well I guess those widdle ol' corporations can just fend for themselves now that the heat is on or will you just moderate this down and just continue to think that the world is comprised of people who like money and moeny makers.

Give me a break...as someone else has already astutely observed, "Show me a company that murdered 6 million people." You seem to have a major chip on your shoulder with regards to authority figures...

Corporations, like people, come in two varieties...good...and bad. If you're not part of the solution, you're part of the problem. End of story.

I can't even now see that a large portion of money is actually being transfered online versus traditional methods I would love some hard data to back up your claims.

Guess you don't have a credit card, ATM card, or bank account, then, eh? I, for one, appreciate the fact that my paychecks can be directly deposited into my bank account with MegaloAggressorOverlordBank, so my funds are available to me immediately. From what I understand, a HUGE percentage of funds transfers are electronic now. Makes sense to me...

As far as one of your other comments to Tim B. goes:

I could say that if one were to get at least $1,000,000,000 that said person has most likely defrauded some person or done something dishonest in their lives. That is a fact that I am at least 99.9% sure of.

I have only one thought in mind: Pot, kettle, black. I have a real tough time believing that you're some fucking angel without any skeletons in your closet. I hope that when somebody drops a DoS on your sorry ass, the FBI tells you to take a hike...

And WTF, you're only "at least 99.9% sure of" that fact? You've been so adamant in your other opinions, I was sure you'd say 100%!

Re:Why exactly should the average citizen care?

So what? Maybe it WOULD be a good idea if we all had to authenticate to a big server in washington before we could go on the net.. then they could keep logs and stuff of what we do for legal purposes in case we commit a crime.

Re: Please provide find_ddos source code

I got exactly the same stock answer when I asked why the source code wasn't being released.

Phil Karn

moderate this guy down!

Please, folks... the user Slashdot Terminal seems like quite a wacko... when I read comments that have a score of 2 I hope to avoid nonsense like this!

Re:Why exactly should the average citizen care?

How many people do you think deserve to be locked up in a padded room for comparing deaths due to Nazi atrocities, to deaths caused by people who spend their lives voluntarily inhaling smoke from burning leaves for no apparent reason>

It's not the box

You're bandwith limited by CM's T1 line, and probably by their firewall. The big companies have most likely got OC3's and no firewall. Also, these DoS attacks aren't actually crashing machines, they are just generating enough traffic so that noone else can get a word in edgewise.

Re:It's not the box

[dennisp]

Actually, he likely has a 10mbps interface. CMU has a t3 to to the internet and (if i remember correctly) oc3 or oc12 or something similar to vbns. Flooding a 10mbps interface would quite possibly slow his computer to a crawl. I have been smurf attacked before sitting on a 10mbps interface to a t3 network, and my mouse completely froze in x (p2 400 + 128 mb of ram) and my windowmaker network status applet showed 100% utilization. I couldn't move the mouse again until the asshole stopped 5 minutes later :).

My guess is that the attack wasn't as large as he thinks - or he or the routers setup had an elegant ICMP or SYN rate limiting and dropping scheme.

YES!

Any volunteers to put it up?

that's 'cuz it's a troll son

I don't have a problem with the merger per se but your not giving me the warm fuzzies...

It wasn't supposed to. It was supposed to be funny (captan taco?)

Can you PLEASE supply closed source everything?

I do not believe all of these people. You are the government for gosh sakes and I am an American.

Can you supply me with binaries on everything that you want me to use on my network? I am upset that there is not more government made and approved software! There is not telling what these "open source" hippies are up to, so please, pretty please, setup my system for me the way you like it to be and please also tell me when to wipe my butt too.

I will be waiting with crossed legs.

Thats BS. Stop fudding IPv6.

This kind of misinformation spreading MUST stop. It's plainly obvious that people are making an intentional effort to FUD IPv6 here on slashdot and in other forums, and because knoweldge of IPv6 is so limited, the fudding is effective.

IPv6 headers are bigger. But not tons bigger, only 2x because they removed cruft from the headers.
Additionally, the layout of the packet has been improved yealding to better handling.
In fact, on my home lan, between two Linux boxes IPv6 has almost the same latency for very small packets, better latency for near MTU, and much better latency for >MTU (fragmented) packets, because of the smarter packet headers.
IPv6 does nothing to stop 'spoofing', MAC addresses are not required in the addresses (it's just one option for autoconfiguration).

In short there is a lot most people don't know about v6, and there are quite a few orgs that stand to benifit from killing v6 (Microsoft, 3com, and Nortel are the biggest).
Please get some information befor making judgements.

Re:illegal?

The cynic in me says that if you can't afford a $10 56K modem, then you should get another fucking job.

I dare you to say you aren't dependent on computers. Or, another good example, cars. You made the choice, now live with it.

And as far as E-Trade goes, you'd probably be surprised to know that "EEEEEEEEEEEVVVVVVVVVVVIIIIIIIIIIIILLLLLLLLL" corporations don't use E-Trade -- Joe Six-Pack does. Joe Six-Pack with a wife and kids, who maybe has a little bit of disposable income left over, and decides to try investing in the hopes of building a little money for the future. Is that so wrong? Is that a symbol of "capitalism gone wrong", or of a "fat cat who's not hurting at all"?

To paraphrase Douglas Adams, your mind is not merely twisted -- it's severely sprained.

His parents will be pissed

I bet he thinks he's cool now, but when his parents get that $250k bill I'm sure he won't be laughing. I figure the FBI will have this wrapped up by the beginning of next week. They probably have already built a solid case against someone and are just waiting to file for a search warrant to take his stuff. You'd have to be REALLY good and organized to not leave any trace.. and if they left ANY trace they will be found, locked up, and raped by big black men in prison. Good job fellows. Say goodbye to your anal integrity. They just love little white boys like you.

Re:Why exactly should the average citizen care?

How assertive, as if buying from the net would ever actually be safe... hahaha... funny the naive are...

Re:Why exactly should the average citizen care?

Yeah, but how much money have they lost to credit card fraud alone? Maybe those investors they are leaching from should start asking...

Re:Why exactly should the average citizen care?

Oh, wow, I use their service, it just so happens at the time I was doing something called work by the average citizen, and it didn't effect me at all.

Re:Why exactly should the average citizen care?

Again you make the same mistake he tried to correct you on...

You are not a machine full of facts, you are a man full of opinions, so maybe you should restate that as...

"<b>In my opinion</b> there is no client application under Linux that is better than the equivalent one that runs under Windows"

And obviously you like to assume to much, me thinks you are a fool, glutten for punishment, you forget that the Linux Zillion+one clients are also as good if not better... There will always be a situation were you are wrong, have you ever tried CVS under windows for example? And could you point me where a CVS client under windows is better then linux?

Re:Why exactly should the average citizen care?

"deaths caused by people who spend their lives voluntarily inhaling smoke from burning leaves for no apparent reason"

Isn't this the same arguement that the cigarret companies made? I think the apparent reason is addiction, but wait those cancer sticks are not addictive so there is no apparent reason... now it all makes sense...

Re:Stop Spoofing At The Backbone?

http://users.quadrunner.com/chuegen/smurf.txt
---
"Smurfing" description and information to minimize effects. It also talks about spoofed TCP SYN flooding and settings on routers you can do to prevent yourself from hosting an attack (smurf in particular) and settings to prevent spoofing from within your own ranges which prevents a number of attacks and allows for easy tracing if attacks occur because attackers are unable to spoof.
***

http://cio.cisco.com/warp/public/707/4.html
---
Defining Strategies to Protect Against TCP SYN Denial of Service Attacks. This is information for Cisco routers in particular to prevent being the host of such an attack. They have links on that page to sites which discuss in detail the costs of implementing as such (even a mailing list archive on merit.edu with recent information regarding the yahoo attack).
***

Thank you.

Re:Why exactly should the average citizen care?

Well there are some theories that particulate pollution is the cause of 95% of all cancer or something, So then heavy industry, and anything else that produces particulate pollution(aka dust)has caused millions of deaths in part. Better go attack hoover.com they make an awful lot of dust spewing machines.

is the FBI hiring for information security types?

if so what kinda stuff do you look for when going over canadiates. i read that you require a law degree or 5+ years exp. in current field of expertise, is this true? which is is strange because it seems that a: most IT people dont have/want law degrees and b: if your working for a company for 5+ years chances are you might be settled in pretty well. just curious. thanks.

Re: Please provide find_ddos source code

Here is a link to the source code.

Re:A fruitless exercise?

Either clueless, too busy, or completely understaffed. This is why many attacks originate out of certain universities and often big business (where IT is often understaffed as well).

This is how crackers work. Scan the internet - there must be thousands of situations like this existing, so they are bound to find one eventually when scanning..

Re:Recognizing DoS

The same way smurf is stamped out is the same way we prevent further spoofed SYN, UDP, whatever attacks. Finding broadcast addresses is just a battle that is lost because there are new ones being found every day. The solution is to get ISP's (large and small) blocking spoofed packets that initiate such attacks (in smurf you spoof your attackee as source - syn floods you just spoof any old address and send the packet on its way).

There is no easy way to take care of this problem. However, doing something may reduce the problem.

Re:Antionline: True help?

No, I smell idiots.

Re:Answer: not viable

Stateful inspection is not needed. I think Signal 11 just likes posting lots of comments, most ill informed :)

Re:Antionline: True help?

(a less-paranoid version of the theory that the NSA is behind all this...)

Why call it a less-paranoid version? Do you think the NSA is to be trusted more than Antionline?

NOT!!!

Don't be a prick. The L0pht talked to congress about BGP having wimpy authentication and that making core routers vunerable to being modified. These DDoS attacks have *nothing* to do with protocal related flaws like the L0pht discussed.

You've always got a choice

The Nazis victims had a choice: they could go to the concentration camps, or die. They chose to go.

Re:Why exactly should the average citizen care?

Not one client application under Linux is superior to the ones in Windows. Not one.

But then, I tend to use more than one application on Linux to do a job. MS Windows won't let me send the output of a file search for files with "space" in the name to a command to search all those files for the string "gold". Instead I have to do a lot of mouse and typing activity.

Re:Other methods?

Can't MAC addresses be changed in some NIC cards, or drivers rewritten to spoof the source MAC address? I don't think that MAC addresses are really guaranteed to be unique, as you seem to. And keeping a table of every possible IP address with the MAC it should have associated with it seems to be an untennable solution.

Re:A solution

Were these UDP packets?

I too wish people would be more specific rather than just saying "DoS attack". I have most often seen this called a Smurf attack, which to the best of my knowledge uses ICMP packets, combined with the rather brain-damaged property of some networks to respond to broadcast ICMP packets with spoofed source addresses. This means that having all networks implement filtering out of outgoing packets with source addresses on that net would help.

If you know of a defense against SYN floods, I'd be interested in hearing it.

Re:Traffic Analysis

As far as I know, TCP analysis would do nothing against Smurf or SYN flood. I beleive what you're referring to is TCP slow start, which keeps the window size small for the first few packets until a reasonable guess of the bandwith can be made, to avoid excess retransmissions from new connections. And no, blocking source addresses that don't behave nicely would be of little help, since most DoS attacks rely on spoofed source addresses.

This is not the real "Signal 11."

Observe the lack of a '.' at the end of his name. Disregard him, he's a troll.

Re:Why exactly should the average citizen care?

Um, but when you are dying of some other desease or other problem like esbestos (sp), having spent most of your life addicted to cigarrets does not put you in a survival position when recovering like say from a stroke... I have a relative whom died this way...

Re:Why exactly should the average citizen care?

What does the "internet infrastructure" have to do with what they did? Its more like you saying "interfere with business == go to jail." What if we had a bunch of kids in jail server 5 years sentence because they were protesting a business and preventing people from doing thier jobs?

DOS or DS?

I think we need to take a closer look at this dipshit/dip shit issue.

Re:Why exactly should the average citizen care?

OK, so maybe he didn't mean large corporations are the same as the third reich in every respect. But let's not forget that all the Fortune 500 CEOs have funny little moustaches and are banging their nieces. Coincidence?

philosophy

Screw the David Cash philosophy, let's hear it for the Jeremy Strohmeyer philosophy and making Yahoo one's bitch. Sometimes you have to rape and kill a multinational corporation to make an omelet.

why is it such a memory hog?

what in it makes it chew 200+mb of memory ? there is no warning that it wants so much maybe the FBI doesn't realize that the majority of linux boxes out there dont have gigs and gigs of ram, i have about 15 machines running at 128MB or less. they'd crash if i ran that program, without resource limits. nate aphro@aphroland.org

Re:Why exactly should the average citizen care?

The average citizen probably shouldn't really care, except of course if they're smart enough to see how much they're being had by the so-called "justice" department. What do we know about DoS? It's pretty much all brute force and no finesse. What do we know about the FBI under the Clinton administration? It's about the least competent lineup of loonies in the history of the Bureau. AND they're obsessed about wiretapping, and checking out your private PGP keys. Why big companies? The visibility, period. The culprit: the FBI. The reason: to get us to install software on our servers which will allow THEM to monitor US. We're talking about a Bureau which can't seem to remove its head from its anus in the best of times. How do you think they came up with a tool which can take care of the current wave of attacks within 2 days of their occurrence? I'm not alone in thinking that the only way this is possible is if they were the initiators of that wave of attacks. Wonder why the DoS patch is available as a binary distribution only? Are you aware that it actually seeks out encrypted files on your systems? Other hints are that no one has seriously claimed responsibility for the attacks (hackers do what they do either to threaten and extort, or to boast) and the heightened amount of huffing and puffing from Janet Reno et al. And this is only the beginning.

Re:Why exactly should the average citizen care?

How about this, because the big dollar corporations and Reno will work together to end the 'cyber terrorism', and because their solution might just take another piece out of the free Internet? Attacks such as these work to justify every regulation and restriction the Feds try to impose.

Re:Why exactly should the average citizen care?

How do you circumsize a Whale?

Send down four skin divers!

Various questions

To what extent do you believe that the huge amount of media exposure given to these attacks has provided the perpetrators of these offences with both justification and encouragement for their actions? Do you believe that the attacks would have continued were it not for the fact that so much media attention was given to the original attacks upon Yahoo? If media attention is likely to lead to further attacks by either the original perpetrator/s or others, should the media adopt a policy of silence (as, for example, they might have in the wake of the Littleton incident [back in the real world]) or does such information want to be free? What is the value of such attacks, and of the subsequent media attention they garner, as a wake-up call to those who are still unaware of the potential pitfalls of the Internet and e-commerce? --George.

THIS IS FAKE

[Hemos]

Disregard this post - this is not from VA Linux. This is called FALSE ADVERTISING AND LIBEL.

I was hit with this - what's wrong with Yahoo!?

[Shaheen]

I am at Carnegie Mellon University and I have a Linux box that runs two eggdrop bots for a couple of IRC channels. (For those who don't know what they do - they just keep a channel's operators in proper order).

A week or two before Yahoo!, CNN, and other big name companies were hit with this denial of service attack, some people (the same ones??) decided to try and take over one of the channels one of my machine's eggdrop bots runs. The attack lasted approximately 6 hours from beginning until end. When all was said and done, the network usage at Carnegie Mellon was 100% saturated and I received an e-mail in the morning that I had tried to crack a computer in the department of energy services (wherever that is).

Now, the box is usually not under too much of a load, but does have several purposes - it is an FTP server, and a file server (I play my MP3s from it).

All throughout the attack, my box actually held up against the attack! I was able to keep playing my MP3s, I was also able to continue (at a very slow pace however) my FTP transfers.

What I want to know is if MY box (and Carnegie Mellon in general) could stand up to the DDoS attack, why shouldn't Yahoo! and CNN and other huge companies have enough network infrastructure to waylay such an attack? Was it just that my box was hit on a very low scale? Or are corporate networks just not up to snuff?

Re:I was hit with this - what's wrong with Yahoo!?

[rambone]

Like all major web companies, Yahoo supports a backbone network at their colocation (globalcenter in their case) that is quite capable of thrashing any server with legitimate or malicious traffic.

Typically this isn't the case - the traffic flowing through the network is about what the servers can handle.

Think of it this way - if you try to drink from a firehose, you're fine when the water is trickling out. When the hose cranks up, you're knocked on the ground no matter how fast you can swallow.

Hence because the network yahoo is sitting on has much higher capacity than yours, they are at potenitally much higher risk...although the caveat here is that to flood a network like globalcenters, you need to distribute the attack (as was done) in order to muster the packet flood required.

"Zombie" client profile -- Windows or Linux?

[KMSelf]

Dave, we've seen several reports implicating Solaris and Linux specifically in the DoS attacks, and the tools provided by you and the FBI are aimed at Linux and Linux-like operating systems. Are these OSs representative of the actual clients which are being co-opted as zombies to launch the DoS attacks, or are they merely typical upstream or intermediate systems with sufficiently rich toolsets to allow monitoring and filtering of traffic.

Information I'd heard from someone who'd experienced an attack was that clients were in fact most typically Windows machines -- which makes sense as they are very common and very easily compromised. The compromising code was described as a windows or Java virus time bomb, pre-set to launch against a specified site at a specified time -- somewhat different from the "master" and "slave" scenario described in the trinoo papers. Several copies of the virus have been retained. How does this fit with your experience?

What part of "Gestalt" don't you understand?

Is a network proof against DDoS possible?

[Paul+Crowley]

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?
--

Re:Is a network proof against DDoS possible?

[Helge+Hafting]

Is vulnerability to DDoS-type attacks due to a flaw in the design of TCP or IP, or is the design of a network that's inherently resistant to such attacks an unsolved problem? Is it possible to imagine a fix that would address this, or a protocol that wouldn't be vulnerable even when many machines are compromised?

This has nothing to do with IP, or even computers. Parts of the phone system get blocked from time to time in the same way - for example when a popular TV show advertises a phone number. "Call inn first to get a prize..."

So there is no solution as long as thousands of machines are available for breaking in. Fixing that still leaves stuff like "Tomorrow is the day when <I>everybody</I> looks at the MS website" or
"Lets <I>all</I> call their shitty ordering number simultaneously" The only difference is that the latter two cases require cooperation by an interest group, while the DDOS attack simply require the "cooperation" of crackable machinery.

Who can fix this, hardware people or software?

[Kurt+Gray]

OK, it has been obvious for years that TCP/IP is vulnerable to DoS attacks of all kinds. My question is who do you think has the best chance of fixing the DoS issues, hardware people such as Cisco (router makers) or ethernet chipset makers, or software people like kernel and network driver developers, or is it more of an issue of everyone will just have to work togther to take TCP/IP to the next level? ...or is it just an issue of network admins need to learn how to apply existing technologies effectively to keep the skript kiddies under control?

Re:Why exactly should the average citizen care?

[/dev/niall]

Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

Well that's just spanky. At what point do we point to a rich private citizen and say "Okay chum, you're on your own!". Just because they're big and nasty doesn't mean they're not entitled to the protection of the law. What if they started enforcing their own laws? I mean, you're saying the burden of responsibilty is on them, wouldn't they be entitled to do so? I for one shudder at the thought of Microsoft coming up with and enforcing their own laws! :)

Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect

Hmm, does this count as a Hitler reference?

Re:Why exactly should the average citizen care?

[/dev/niall]

I could say that if one were to get at least $1,000,000,000 that said person has most likely defrauded some person or done something dishonest in their lives. That is a fact that I am at least 99.9% sure of.

<sarcasm>Well, I for one will sleep well at night knowing you're the one making these decisions for us.</sarcasm>. What is this, some kind of Slashdot Inquisition?

...music...

I was forced to use the internet to get what I wanted ...

In the early years of the third millennium, to combat the rising tide of corporate unorthodoxy, the Pope gave Cardinal slashdot-terminal leave to move without let or hindrance throughout the internet, in a reign of violence, terror and torture that makes a smashing post. This was the Slashdot Inquisition...

I'm no fan of evil corporations either, which is why I support the justice department when it goes after them. I also support privacy groups that look out for our rights. However, I recognize that without corporations we wouldn't have all that we have today... like the Internet! Tell you what, as soon as you figure out a way to send IP over smoke signals you let me know and I'll join your inquisition. ;)

Re:illegal?

[/dev/niall]

I have access to only at 2400bps modem at home does that mean that it is a crime if I don't have a local number for a BBS to E-trade? When you get some technology you become dependent on it. When you chose to live 50 miles from work and relied on your can and it dies do you feel cheated?

I find it very difficult to belive you can't go work at Burger King for a week to earn enough money to buy a new modem.

And if some punk kids slash my tires on the way to work, yes I do feel cheated.

Re:Why exactly should the average citizen care?

[C.Lee]

>Maybe because you'd like to buy something from them?

And if you *DON'T* want to buy something from them?

basic internet infrastructure

[Phil-14]

I just checked, noone's asked this one yet. Which of the proposed improvements in the internet's infrastructure (IPv6 et alia) do you think will actually do something about distributed DOS attacks of this nature?

Re:basic internet infrastructure

[Elgreco69]

Differentiate Service ("DiffServ"), developed by the IETP, will use 6 bits to set the priority of an IP packet. By doing this it will be able to control the allocation of bandwidth based on the type of serve.

In other words, people who smurf or fraggle will have their traffic dumped to the bottom of the request list allowing the server to deal with legit requests first. In theory this could diminish, or thwart, the effect of a DoS attack. This technology obviously isn't widely used yet (or may never be).

There are other QoS (Quality of Service) technologies being developed, like RSVP (Reservaton protocal) that may help defend against DoS attacks.

Re:illegal?

[Zachary+Kessin]

I can think of several ways in which these may be Illegal.

First of all simply taking down a web site costs a company a huge amount, These web sites are the places where these companies conduct commerce. If they are not online they are loosing money.

Second, I can see this as being a form of Rackateering. I'm not sure how the law is written, but I can see them being hit under the RECO laws that were ment to hit the mob, They are using an interstate attack to stop a legit biz.

Third, Stock Fraud, Imagine that the people who did this took a short position on stock in Yahoo, then slamed the server, the stock goes down and they make a fortune. It does not take a big movement of the market to make (or lose) a lot of money for a lot of people. And this is definitly insider trading.

I'm sure the FBI and the DOJ will find a few others too. I hope they nail whomever did this one to the wall.

Re:Automated hacking?

[andreas]

This is the most likely explanation. I mean, I could write such a tool, if I had enough time on my hands, and wouldn't care for more interesting problems.

I don't believe all the conspiracy theories for a second. It was a single guy, or a very small group, and they were just trying to show off who's got the longest. It's been going on on IRC for ages.

The Constant Fingerprint?

[Effugas]

While you've done an excellent job analyzing the various DDoS tools, one thing I think we all realize about DoS tools is that, as time passes, we *are* going to lose the ability to detect whether a packet is fully legitimate or if
contains a covertly channeled service denial command.

What's more insidious is that I don't think we're going to even be able to determine the nature of an attack in progress. Given enough compromised clients, it's more than conceivable that enough pseudo-browsers surfing at a humanistic rate could take down at highly database-driven sites, not to even mention overload the maximum number
of streams a multimedia site can supply. Such an attack would only reflect itself as the attack of the <a href="http://slashdot.org/comments.pl?sid=00/02/08 /1338245&cid=60">Window Shopping Hordes</a>--people who search for everything but buy...nothing at all.

If we won't always be able to detect the initiation of these attacks, and we won't always be able to detect the commencement of these attacks, would it be fair to say that the only moderately reliable fingerprint of an looming attack is the single packet or set of packets that compromised the OS into loading the attack daemon in the first place?

If so, how can we use such fingerprints to our advantage? Should arbitrary core routers initiate tracer logs and NOC notification when large scale OS compromise fingerprints are detected?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Answer: not viable

[Effugas]

That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc.

Nope, Sig. You need stateful analysis when you cross the single packet barrier--for example, when the presence of an outgoing SYN creates a temporary tunnel through the firewall for an incoming ACK of a given Port/ISN+1.

It's just a comparison of the 32 bit Source Address with the 32 bit Network Address of the physical interface. That kinda thing doesn't even require Store And Forward...it's one or two AND ops. Where you start getting problems is when you have a layer or two of peered networks...but how many universities route packets for eachother?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Stop Spoofing At The Backbone?

[Effugas]

How viable would spoof protection at the backbone level be? In other words, after a certain date, all downstream links are categorized as either able to peer for other network blocks, or simply not. Admins who can't be bothered to spoof-protect their networks would get IP source ranges outside their IANA assigned IP block dropped at their first upstream provider; sites which need to maintain peering relationships thus have their direct motivation(their backup networks will ceae to function) to specifically lock down their peer forwarding to only those IP ranges they're actually peered with.

Yes, you obviously get problems as peering scenarios get traveling-salesman levels of complexity, but most sites (to my knowledge) don't exceed more than a few levels of peering--we should take advantage of this fact to enforce a top down elimination of infinite source spoofability? And, if so, would the precedent that this creates help or hinder the growth and freedom of the Internet?

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Re:Stop Spoofing At The Backbone?

[mattc]

Hey, would you put your signature in your signature? I'm getting sick of looking at it.

Thanks.

Re:Stop Spoofing At The Backbone?

[dennisp]

There are many ISP's who do this already. The problem, however, is that there is too many who do not. I would assume one of the major problems to be portable IP ranges. If we want Tier 1 ISP's to do this, that is a large problem. Then, when we realize some smaller ISP's should be doing it as well, we realize that it's a big pain to get everyone doing this.

I'm all for such an initiative, but it would be tons of work and cost a lot of money.

Re:Answer: not viable

[Effugas]

A switch functions by only analyzing the raw ethernet (or mac) address.

Not necessarily, anymore. L3 Switching and even L4 Switching is quite hot nowadays. Matching bits and ANDing them--that's what switches do, and that's what IP Interface checking does. L3 and L4 switches essentially match more bits in their quest to do better and more accurate QoS. I'm not absolutely sure if Cisco's switches will do the IP range checking, but I wouldn't be surprised if they did it in hardware. Sig, it's a cheap operation.

> A router works at a higher level, and CAN do
> stateful analysis... but for speed you really
> shouldn't - that's what the firewall is for.
> Firewalling the backbones would be... umm..
> very bad.

For cryin' out loud, this has NOTHING to do with State. Either I'm sending out a packet on a bogus source, or I'm not. This contrasts *heavily* against "Firewall receives an ACK packet--is it spoofed, or is it a response to a pre-existing SYN? Better check the state..."

I'm not talking about firewalling the backbones, only the entry points. And what the hell do you think Yahoo screamed at their ISPs to do when lots of traffic was coming down the pipe that had nothing to do with the Web? "KILL EVERYTHING BUT PORT 80!"

That's not firewalling the backbones. That's managing the access points.

Yours Truly,

Dan Kaminsky
DoxPara Research
http://www.doxpara.com

Just so there aren't only questions on DoS attacks

[moonboy]

I'm currently looking for a job and I am very interested in the security side of System Administration. My question: Could you give a SysAdmin wanna-be some helpful advice, ideas, suggestions, etc. concerning career path? In my particular case, I don't have a CS or MIS degree (Liberal Arts actually) and about a year and a half of experience as an operator. I'm a Linux user and read O'Reilly books aplenty. Any advice would be greatly appreciated.

----------------

"Great spirits have always encountered violent opposition from mediocre minds." - Albert Einstein

Re: Please provide find_ddos source code

[Tet]

What we're concerned with is the fact that you want us to run precompiled code.

Not only that, but some of us can't run it even if we wanted to (and without source, I wouldn't want to anyway). Where's my Linux/Sparc executable? What about one for my DGUX/m88k machine? The internet is not just Linux/x86 and Solaris.

Re:Other methods?

[Tet]

From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

I'm no IPv6 expert, but as I understand it, space is reserved for this information in an IPv6 packet, but it's not mandatory to fill it, it's only recommended. Maybe someone who knows more about IPv6 can confirm this?

there is - sm611551511357

[goon]

there is....

• alt.2600 (www.2600.com) - hacked pages database. Lists sites hacked by the month from what we can presume to be non-secured.

Did the Government Know of this in Advance?

[Skim123]

According to an article, US government agengies had warned of such a DDos more than a month ago. Supposedly, a "US Government agency warned more than a month ago that it had information that unidentified "intruders" were preparing for massive denial of service assault in the US."

What I am curios to know is, say that you have this foresight, that these attacks are likely to come. What could large sites, such as Yahoo!, do to help prepare for the coming onslaught?

Re:illegal?

[Skim123]

Another good example is eBay. Imagine you couldn't get in the last two hours to place a higher bid on an item you really wanted. Now you are PO'd, and the guy who was selling the item is out $$$.

Re:illegal?

[Skim123]

Are these attacks really illegal?

Of course. The people were purposely trying to bring a large web site to its knees - malicious intent.

Furthermore, they illegally employed the use of other people's computers to purpotrate their crime.

Imagine you did some action to congest the highways of a large city with road blocking thingies. Imagine you got caught. Would you be arrested? I'd bet so... and you'd probably be fined or put in jail for a short while.

Motive for DDos attacks?

[Ken+Broadfoot]

Okay, we have heard a few.. Geeks trying to "have fun", electronic protest, NSA/Government conspiricy.

Question: Are all the targets NASDAQ companies?

Remember when eBay crashed a while back and it's stock took a huge bite over the deal? Imagine if you had a very large investment on a "Sell Short" bet.

Say I "Sell Short" a million dollars worth of Yahoo! stock, then pound on Yahoo! to cause the stock to drop. However we noticed it did not drop the first day so we have to do it again the next day etc...

What do you think? Instead of making a DDos sniffer, I would look for a Yahoo! competitor to be purchasing "shorts" of Yahoo stock.

Re:Motive for DDos attacks?

[JoeBuck]

Doesn't have be a "Yahoo! competitor" -- it can be some lamer day trader with a short position on his ETrade account.

Re:Motive for DDos attacks?

[Minty+Toothbrush]

I would imagine that these are the real financial reasons behind the FBI's hard core investigation of this event.

Minty Toothbrush


If an infinite number of monkeys typed at an infinte number of

Re:Why exactly should the average citizen care?

[Ken+Broadfoot]

I really believe the motive is money via stock price manipulation.

Taking down a dot.com company is like grounding an airlines fleet.

hahaha

[Ken+Broadfoot]

Captain Taco... I like it.. I hope it sticks...

( just a little demotion, eh? )

Re:hahaha

[348]

actually, in the Navy it would be a promotion.

Re:Steve Jackson Games??

[cpt+kangarooski]

Here you go

Ask Dave: Why you want to help the FBI?

[Taco+Cowboy]

This question might be seen as a troll, but it is not.

Why do you want to help the FBI, Dave?

The FBI is an apparatus for the Big Brother, the same Big Brother which has taken away so many of our basic rights, and the same Big Brothers which has done a lot to limit our rights online !

Why are you helping the FBI, Dave?

Distributed scanning?

[tilly]

What do you think about setting up an ongoing distributed scanning effort, to identify compromisable machines, and to get the owners to lock them down?

I would like your opinion both on whether this is doable and whether it would likely prove useful.

Thanks,
Ben

Answer: not viable

[Signal+11]

That requires holding massive amounts of memory to hold all the information about which packets are going where, how many, etc. Stateful inspection *really* slows down routers and the backbones can barely keep up with the growth rate as is.

It's just not practical right now at the backbone level - not without a major, major overhaul of the existing system. Besides.. how do you define a DoS attack in the first place? It's easy to spot one now.. but what about 80k queries/sec that all look like legitimate traffic? How do you filter THAT ?

Re:Answer: not viable

[Signal+11]

A switch functions by only analyzing the raw ethernet (or mac) address.

A router works at a higher level, and CAN do stateful analysis... but for speed you really shouldn't - that's what the firewall is for. Firewalling the backbones would be... umm.. very bad.

Re:Answer: not viable

[Signal+11]

Wonder what the response would be if they sent a few billion requests for random pages to their website and did searches..............

trust

[Signal+11]

Maybe not directly related, but it is central to security...

Why should businesses and individuals trust the government?

As a business, why should it try to help the FBI? I've seen and heard about "busts" which leave a company high and dry. As a business, I wouldn't want something like what happened to Steve Jackson Games happen to me. If you want the support of both businesses and individuals.. what are you doing to assure them that you won't use heavy-handed tactics like stealing their computers or data? More institutions would come forward with their logfiles and information if they knew the FBI could be a) trusted with that information (there has been rumor that agencies like the NSA give out trade-secrets to shut down competing industry) and b) would not conduct an investigation of a scale or type which would interfere with normal business operations. I don't want to hear about how "illegal" such operations are.. I want to know who's accountable when such abuses are made, what procedures are in place to deal with such a contingency, and how effective these measures are.

If you want to help national security - drop the pretenses and be honest with us.

Re:Long term solutions?

[JoeBuck]

You write:

Given that IP spoofing is a fundamental flaw in IPv4 ...

But is that really true? If every router refused to pass packets that clearly lie about their origin, IP spoofing would be a lot harder to do.

Re:illegal?

[revnight]

no, you don't need two cans and a string. you should, however, carry around 35 cents in case your cellphone dies.

Re:Questions of Jurisdiction, and coordination.

[Evan+Vetere]

If we could conclusively determine that the attack originated from within, say, Iraq, we would ask Baghdad to prosecute and we'd give them the tools to do so. If they refused, or denied, we could conceivably label that harboring a terrorist, and take retaliatory/defensive action.

Of course, I have a very hard time imagining the Clinton Administration taking any kind of for-real action against terrorists. Remember his Great Crusade Against Terrorism in 1998? The one that coincided with impeachment, and dropped off radar in February 1999?

Collateral Damage

[chromatic]

Is collateral damage a concern? I mean, if a site like Yahoo! is hit with a gigabit of data per second, won't that take up a lot of the bandwidth between the DoS clients and the target?

Or are these sites so close to the Internet backbone that the additional traffic is localized?

--

Seriousness of these attacks?

[MAXOMENOS]

I know you're not a shrink or a sociologist, but I'm still very interested in your opinion: What is it about these smurf attacks that the people find so facinating, or horrible? Do they really pose that serious a threat to network security? Why do the media find it fascinating?

BTW, the DDoS scanner is a nice hack. Thanks for releasing the source!

Re:Seriousness of these attacks?

[TVmisGuided]

IMHO two things got this into the media:

1. Some 'big-name' e-commerce sites were affected, and it made their owners mad.

2. The press was bored; no big political scams, no new wars, no new serial killers...and anything bad relating to high-tech is supposedly newsworthy in the absence of the first three.

Five cents, please...

Re:Recognizing DoS

[Kris_J]

This is a particularly interesting question. Similar discussion can be found in at least two other places where "bots" are used to replace humans; Quake & get-paid-to-surf systems.

In Quake, bots can be used to aim and fire weapons, and they're dealy efficient. How do you tell the difference from an exceptional human and a standard aiming bot?

With the schemes that pay you to surf, they try to make sure that someone is actually at the computer being exposed to the ads. They do this by monitoring mouse and keyboard activity. They claim to be able to detect bots, but I recall a quote from one CompSci professor who said that he'd fail any of his students that couldn't produce an undetectable bot.

In the real world, you can tell that a traffic jam is artificial when you see the truck parked across the road, but how do you detect a DDoS attack with a low probability of false positives (or false negatives)?

Re:Other methods?

[LWolenczak]

Probaly Not, atleast in the area covered by Arin, due to the price of Buying, and Maintaining IPv6 address space with arin.

The Silver Bullet against future DoS Attacks

[Ex+Machina]

What solutions, suggestions and advice can you offer people designing network systems and technologies to defend against DoS attacks? On what level should this be handled (IP, Application)? How can writers of new protocols (like ip6), servers (like Apache) and operating systems (like BSD or Linux) deal with this?

Internet Worm -- Episode 2

[Ex+Machina]

What do you have to say to the idea that this could be a DoS attack launched by computers infected with an Robert T. Morris style worm? Would it be possible to launch something like this and have it and its probes remain undetected until a date where it will launch a syncronized DoS?

Re:Antionline: True help?

[cswiii]

Heh, now that you mention it, that almost sounds viable... but only when you consider this less a case of "raising more consulting business", as much as it would be to boost John Vranesevich's already overinflated ego.

Ut-oh. Maybe ole JV will try to sue me now.

Antionline: True help?

[cswiii]

I saw this evening on CNN that the FBI has enlisted the help of none other than Antionline, in its search for the perpetrators of the DoS attacks. What is your opinion, regarding this decision? How does this reflect upon the FBI's ability to investigate cybercrimes?

Re:Antionline: True help?

[El+Volio]

Hmm... I smell a potential conspiracy. I'm not accusing anybody of anything, but what if someone caused all this in the hopes of raising more consulting business (a less-paranoid version of the theory that the NSA is behind all this...)

Re: Please provide find_ddos source code

[Greg+Titus]

This is the guy who provided the source code to ddos_scan right here. Even if he is behind the FBI's differently named tool as Roblimo is saying he obviously isn't asking you to run a tool without source code.

You need to ask whoever it is that is administrating the web site at the FBI why there isn't source code available.

Way to go!

[Amnesiak]

Sorry, it might be a bit off-topic, but I just have to say that Dave is a great help to the UW group and the linux community in general. I'm glad he's finally getting some great recognition.

Way to go Dave!

Re:Way to go!

[348]

Yeah, and I would have gotten away with my evil Dos attack if it wasn't for you and those pesky kids.

Mr. Harper, the old fairgrounds caretaker

Re:Why exactly should the average citizen care?

[Helge+Hafting]

A ton of money flows into Amazon every day. In the Oct, Nov, and Dec 1999, they took in about $676 million. So 2 hours of downtime could cost them 676m/90 days/24 hours * 2 hours = $626,000, over $5,000 a minute.

You can't use math like that. Sure - they expected that revenue during the 2 hours. What happened to those who couldn't buy? They didn't <I>all</I> run to a competitor. Some did what you always do with net trouble: waited, and tried again. Amazon probably had a period with slightly more sales than normal right after the attack, due to people catching up. Sure they lost some, but not all!

Re:Why exactly should the average citizen care?

[Helge+Hafting]

Considering that the targets of these attacks have been large corporations and such I ask this.

You might as well ask "why should the average citizen care about shoplifters hitting large supermarket chains, large banks robbed, and so on?"

The same answers applies.

Re:Other methods?

[Helge+Hafting]

Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Nope. First, IPV6 don't need to contain any MAC addresses. Second, you would merely track down the compromised systems. You can do that already using IPV4. It doesn't help, unless having a crackable machine becomes illegal. Third, these people are breaking rules already and wouldn't worry a bit about putting fake info in their IPV6 packets. Possibly causing trouble for some third party as well when angry but clueless sysadmins are misled onto them.

Re:A solution

[Helge+Hafting]

Filtering doesn't help. The attacker doesn't bother with bouncing strange packets. He simply breaks into tons of systems using an automated tool. He can then make each of those breakable systems attack - from perfectly valid addresses. Tracing back to the broken systems will be trivial, but the attacker doesn't care as it isn't his broken systems. Innocent people who has easily crackable machines gets all the heat.

Re:Long term solutions?

[Helge+Hafting]

But is that really true? If every router refused to pass packets that clearly lie about their origin, IP spoofing would be a lot harder to do.

This isn't even the problem. A distributed DOS attack don't need spoofing at all. Just break into 1000 sites, then have each point 50 browsers at your target. Instant overload, no spoofing.

Re:IPv6 misinfo, correction

[Helge+Hafting]

IPv6 doubles the average packet size for real time protocols with small packet sizes, like VoIP, which I specifically mentioned as an example. VoIP data is transmitted in very small packets, because delays must be kept to a minimum. Using IPv6 would double your bandwidth requirements.

IPv6 was designed with less delay in mind, so you may be able to put more data in each packet and suffer less. IPv4 is checksummed and possibly fragmented at each router, IPv6 isn't. So IPv6 routers can be built with less delay. You may, for example, start transmitting a packet before you received all of the header. Less delay on every router quickly add upp for long distances.

where are the logs??

[griffjon]

The tools for detection, and your explanations of the clients are great, but could the community get a chance to see some of the logfiles of the floods? You want this fixed real fast, post a few of those and let the brainpower of all the whitehat hackers loose on the problem.

Long story short...

[Samurai+Cat!]

They got hit with Operation Sundevil, a Secret Service operation nailing hackers back in the late eighties. Stuff about the E911 documents floating around the net at the time was apparently on SJG's Illuminati BBS. (The same E911 docs that got the Atlanta Three tossed in the pokey for a year or two each.) The SS raided SJG's offices, snagged a lot of computers and other stuff - most of which (I believe) they never got back. SJG sued, and a judge actually ruled against the SS! The funny thing was, SJG was working on a new board game, called "Hacker". The SS people found the materials for this, and went nuts. They were convinced it was a "manual for hacking". When told "no no, it's a game," one agent replied "No, this is real." Some people just can't see outside their preconcieved little worlds...

This P.O.s. crashed my system

[Mojojojo]

That piece of shit crashed my computer...it had been up for like a month...my servers get about 115 though ;) Good thing I didn't try it out on that system.

Where do we place responsibility?

[kj98]

Inevitably, the media has been focusing on the "evil hackers" responsible for these attacks. This will likely bring about a knee-jerk legislative response that serously punishes individuals for initiating these type of attacks. DDOS attacks, however, are made possible by the thousands of compromised systems serving as DOS daemons (or masters).

What (if any) degree of responsibility do system owners have to ensure their machines are secured against intrusion?

Do you think the courts will ever place a legal responsibility on vendors, or individuals, to take steps to ensure their machines can not be used in this manner?

Can Denial of Service alone (ignoring the initial intrusion used to pland the DDOS tools) really be considered anything more than simple vandalism? After all, it is certainly not "Hacking", even in its current media sense.

Re:Long term solutions?

[wavelet]

The point of a robust transport protocol is that it shouldn't have to depend on the router to do things for it. TCP guarnetees packet sequence for example, dispite what the routers do with it. Its IP's job to provide source and destination information.

Say you squash spoofed packets with non localnet sources. What about spoofing all the other IP's in your localnet? Granted thats a much smaller problem, but IP is still broken. localnet to localnet traffic is still broken.

the motto is somthing like: "robust in what you accept and strict in what you output"

Hey wait a minute.

[glen]

Didn't they just let Kevin Mitnick out of prison?

uh-oh.

Should security research be done in obscurity?

[crush]

It is nearly a mantra among us that there is no security through obscurity. It would seem that with a sufficient number of us too lazy or too ignorant to secure our own machines that there is possibly no security through openness either. Do you think that the open research model that Mixter, Farmer and others have always advanced as a reason for releasing their tools is still justified?

Recognizing DoS

[angst_ridden_hipster]

I think one of the biggest issues will be identifying Denial of Service as an attack. I have a legitimate load testing utility that simulates actual browser traffic. Say I run it against someone else's site. They'll see that a lot of traffic's coming from me, and eventually figure out it's bogus and take appropriate measures. But distribute this, and it'll look like actual traffic. Get enough friends doing it, and we take 'em down with what appears to be perfectly normal browsing.

The analogy to the "real" world is roads and bridges. During normal hours, they run well. During rush hour, they clog up and perform poorly. And during a demonstration (like recent examples in Seattle and Miami), they clog up and perform poorly. You can consider the recent anti-WTO situation up in Seattle to have been a DoS attack on downtown. But you wouldn't consider gridlock at 5:30PM in Los Angeles to be a DoS attack.

To solve these problems, you have to know what's causing it. If it's just normal traffic and the infrastructure is insufficient, it gets ignored until people get fed up enough to vote more tax money into building wider roads or better public transportation (again, analogous to buying more servers or a fatter pipe). If it's demonstrators, you either address their concerns or you send in the National Guard to beat the crap out of them (depending on the political climate).

In this world, it's easier to differentiate the two situations. If a bunch of cars are jammed together at rush hour, you know it's a traffic problem. If it's crowds of people singing songs and holding signs, you know it's a demonstration. And if it's a possible sick-out at Northwest Airlines, you're not sure if it's a DoS or not, so you get a warrant to read their home email and find out.

With computer protocols, though, usage and abuse can look identical. Even wild surges in activity can be from legitimate usage. How do you forsee systems being put in place that can differentiate between actual usage and DoS? Doesn't this almost inevitably lead to some non-forge-able, traceable, unique identifier? And doesn't this translate to the demise of privacy on the web?

Re:Why exactly should the average citizen care?

[Merk]

Ok, you guys really should quit assigning your replies to eachother a score of '2'. There's a reason why there a "No Score +1 Bonus" checkbox.

Questions of Jurisdiction, and coordination.

[Vladinator]

Given that this attack could be originated by someone in Europe or Asia, what sense is there in the FBI getting so involved? How will they handle the matter if it turns out that the cracker is in Lybia, or Iran or Iraq? What if he's in China ? What good does it do to try to track the cracker down, when a more productive effort would be to increase security awareness, and get people to configure thier equipment properly?

Hey Rob, Thanks for that tarball!

Who done it?

[aberoham]

After tracking down and analyzing the trinoo code and now (months later, I assume) seeing what sites are being hit by the current rash of DDoS shenanigans, what's your educated guess as to where these attacks are originating?
Are there just a bunch of hapless teenage script kiddies turned tcp/ip coders out there who've decided "[corporate website here] SUCKS ASS", or - as some have speculated - is this distrubuted DOS system too complicated and thought out to be devised by anyone but an conspiracy of corporate & government interests?

Mod parent up

[homunq]

And mod this comment down to 1 while you're at it.

This is a serious attack, it deserves to be heard and responded to, I'm willing to give up a karma point for that.

Re:Firewalls for Dummies?

[Ozric]

You are a fool if you think you can cause more monetary damage with a car then a computer. And yes in the US human life does have a price on it, as cold as that might seem. In other countries human is of little or no value at all.

What are you saying really ? You could not pass the test ? It would hurt sales ? What a crock of shit. We already have restrictions on export of Supercomputers for some countries, did you know that dip shit. I don't see the Feds freaking out about car exports.

And yes @home and RR are a hazard, just because you do not see the danger does not mean that it is not there. Now go stick you head in the sand.

Re:Firewalls for Dummies?

[Ozric]

Driving Laws are only for PUBLIC HIGHWAYS and ROADS. You can disregard the law when using a car on private land. Now do you understand where I am commming from. I am not recommending a test for ALL computers users, perhaps not even a test at all, more like a class to educate people of the dangers.

You can debate the car vs computer thing all day. Check the numbers on computer related crimes and you will see for yourself.

My spelling of DIP SHIT is not an issue, I was just trying to illecit a responce, and it appears that I was successful.

Agreed, not yet anyway. I am not one to give the FEDs any more fuel, they are already looking for ways to control the net. But I think the last few weeks have scared them even more in to understanding how important computer skills are and will be in the 2k's. Soon there will only be 2 classes of people, those with computer skills and those without.

Re:Firewalls for Dummies?

[Ozric]

People who don't know how to drive should stay off the road. Most people feel that way.

The Internet is being marketed like eye candy and everyone I repeat EVERYONE wants everyone to get on the "NET". These newbies and MSCE dime a dozen sys admins are setting up the whole net for a big crash. There is NOT WAY to protect the stuipd and lazy from crackers. Everyday there is more fresh meat for the crackers to exploit. Secure 3 systems and 20 more hit the net for the first time. I have scanned my subnet on RR and I have found people with their systems wide OPEN, I could have printed on their printers for christs sake.

This issue is about locking down systems connected to the net. That is where the whole problem started. The best admin can't be expected to keep up with all exploits on all of his systems all the time, but he should have this Internet pointed systems LOCK DOWN and a good firewalling/auditing plan in place to help him out.

If we can't get admins with big pipes and big iron to keep the lid on their systems how in the world do you think Joe PIII 750 with a DSL is going to fare ?

A persistant Internet connection is not a toy. People should have to take a class before they
are giving such a powerfull weapon. People have had to take driving tests for years and everyone is better off for it. I wager that I could cause more damage with my computer then with any type of moter vehical any day, of course nobody would get killed, but we seem to have even put a price tag on that as well.

Re:A solution (?)

[fluffhead]

I was going to make an observation along these lines, only with respect to network hardware manufacturers (Nortel, Cisco, Lucent et al.). Their end-user connectivity products (as opposed to backbone products) should not be forwarding spoofable-origin packets to the Internet BY DEFAULT. This would not be unduly burdensome to implement in software or hardware, although of course getting upgrades out to everybody is still an issue. Unfortunately, it seems the old distinctions of bridge vs. router vs. switch vs. gateway have all but disappeared these days in the rush to hook everything to the net....

#include "disclaim.h"
"All the best people in life seem to like LINUX." - Steve Wozniak

IPv6 and the Press

[Midnight+Warrior]

Most network-savvy folks know that IPv4 was never designed for a hostile environment that the Internet has become.

For the Slashdot community: Is now the time to start pushing IPv6 to the World At Large, since IPv4 now has two large weaknesses (spoofing and small address space)? And what would you say to convince them or unconvice Slashdot readers?

As you respond to this question, could you please reply in a fashion such that on-looking journalists can quote you to the general public?

Re:A bit offtopic, but YAY /.

[e-gold]

maybe even raising the bar for the media elsewhere.

I think you may be damning Slashdot with faint praise. The bar's under about 6 inches of mud at the moment, IMO. I get annoyed every time I see anything about this.

I saw something quite insightful from Michael on a mailing list today. I haven't even had time to look for it here, but I hope it gets moderated way the hell up, because the media need to see it.
JMR

Re:Why exactly should the average citizen care?

[Tower]

as the average net-citizen, you should at least be concerned that the people running the attacks may be using your box or one that belongs to someone you know... which if for nothing else, should serve to raise awareness for everyone who has their box connected 24/7 via cable or DSL.

Maybe you don't care if your box is involved in taking out one of your favorite sites (Dammit, my.foobar.com is down again!), but I would think that you *should* care. Do you lock your car in a parking lot - chances are it'll be fine, but hey... why chance it. Same here.

Re:The question that we all REALLY want answered

[Tower]

Lee-nooks

at least, that's more or less how Linus pronounces it... which is the only thing that really counts...

This is good

[GMontag]

Hopefully it will be modded up. Too bad the author was AC, they sould get points.

Wall of Shame?

[Charlie+Kinbote]

It seems to me that the really important thing is to encourage sysadmins properly to secure their systems against being used as a DDoS handler or agent. Public humilation may be the only effective means of such encouragement.

Should there be a "Wall of Shame" web-page which identifies the systems that were compromised?

Estimated "damage"

[Hard_Code]

Perhaps you're not exactly the perfect person to answer this question, but it seems to me that many companies claim outlandishly large costs of "damage" running in the millions and hundreds of millions, when these things occur. In your opinion, are these claims justified, or are they just scare tactics?

(I know sites like eBay and Amazon, for example, do a lot of business, but really, millions of dollers lost? If I really wanted to buy the book, I could wait three hours till the site was back up, and they wouldn't lose any money. Where do these numbers come from?)

Jazilla.org - the Java Mozilla

Re:Estimated "damage"

[Supergrass]

The real damage is not in that you simply couldn't buy the book -- the damage is to their reputation and customer base. You'd probably go to Barnes & Noble if you couldn't get something from Amazon, right? I agree it's difficult to place a monetary value on the damages, but the situation isn't as cut-and-dried as "well I'll just go back once they're no longer DoS'd."

The situation with eBay and E-Trade is even worse, because a denial of service is preventing users from doing business with others, not just the company affected by the DoS.

The question that we all REALLY want answered

[[Dilbert]]

"Linn-ucks" or "Line-ucks"?

Re:The question that we all REALLY want answered

[Roadmaster]

This is lame. Anyway, if you've ever installed red hat linux (beyond version 5.0 i believe) and have paid attention to the WAV sndconfig uses to verify correct hardware configuration, it's Linus, and he says he pronounces Linux as "Lee-Nucks".

Re:illegal?

[interiot]

I believe there's some law about real-life protesting... you're allowed to stand in front of a building and protest, as long as you don't prevent customers from getting into the building. I assume that it's not a huge stretch to extend that law to the 'net.

Government

[interiot]

If you've had much contact with security specialists working for the government, how much confidence do you have in them that they're smart enough to:

• Understand the problem well enough
• Spot good solutions if they come along

Slashdot generally seems to feel that the government doesn't have a clue about tech issues, but the NSA has had its moments of brilliance in the past.

DDoS attacks ARE a problem. I could imagine that they could serve as terrorist/psychological attacks in time of war. Because the computers that are doing the actual DoS attacks could be within the country being attacked, the attacks would be nearly impossible to stop at the borders.

Re:Government

[HancockDC]

I will say this: The FBI had a working version of their tool over New Years Day weekend, and it detected a stacheldraht daemon running on one of the machines in our network. This allowed me to take early proactive steps to reduce the odds that one of my systems would be part of such childishness.

SANS and CERT have been on this in a low-key sort of way for a month and a half, and system administrators have been scanning, reading logs, and taking extra steps to secure their systems.

This has raised awareness, and while I sympathize with the victims of the past few days, it certainly vindicates the amount of time I have spent reading syslogs, installing patches, running scans for illicit activity, and so forth. And I am under no illusions that my systems are immune.
-----------------------------------------

Traffic Analysis

[Chalst]

TCP already includes `niceness' tests checking that TCP flows backoff
correctly rather than flooding the network, at the pain of being
blacklisted. Could similar traffic analysis tools stop DDoS? How
might this work, or if not, why not?

It co$t$ you lot$ of buck$. But silver lining.

[Ungrounded+Lightning]

Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down[?]

Because it cost the targets a lot of money. And they'll have to make that up. So their prices will go up to make it back. Which means their competitors don't have to cut prices as hard. And Joe Random Consumer ends up footing the bill.

And that's YOU, friend.

And meanwhile, the law enforcement people will spend a lot more money hunting down and prosecuting the perpetrators. Paid for by YOUR tax money. And so your taxes go up, or your other services go down. Bucks out of your pocket again, or inconvenience because your road wasn't fixed or whatever.

And sysadmins at ISPs and thousands of sites all over then internet will spend a bunch of time thrashing around over the issue. They don't work for free. Cost of internet service goes up - or doesn't go down as fast. That gets folded into the price of everything the ISP's customers sell, and into your internet bill. Meanwhile you don't get other fixes as fast.

I could go on.

But there's a silver lining:

The digital anarchy will start patching this set of holes. This kind of DoS attack will get harder, and an unmodified version may become impossible. The net will be more robust.

Script Kiddies or Cyber Terrorists?

[Chasuk]

Do we classify the engineers of these DOS attacks as Script Kiddies or Cyber Terrorists? And does the fact that the have only attacked big, commercial sites make them criminal losers or heroic vigilantes protesting the commercialization of the 'net?

Further, _if_ it is a protest, does it make it any less wrong? Let us assume for a second that a group calling themselves the "Anti-Open Source Brigade" starting shutting down Slashdot regularly, out of the sincere political conviction that Open Source was really a terrible evil? Forget that their logic may be flawed; these are a group of committed, idealistic young men who knock Slashdot off-line quite successfully for hundreds of hours during a two month period. And not just Slashdot: Freshmeat goes down, and all of the Anodover sites, and Redhat, and every important Open Source proponent site on the 'net? Is it okay because their motives were pure?

Lastly: if this were MS going down, how many cries of jubilation would we be hearing on Slashdot? And would it makes us hypocrites?

Re:illegal?

[ucblockhead]

Suppose you have an account on e-Trade. Suppose you are a day-trader. (Ok, you probably deserve what you get, but bear with me...) Suppose the stock you bought that morning goes up 1 point. You decide to sell.

e-Trade is down due to a DoS attack. By the time it is up, the stock is now 1 point below what you bought at.

Would you then be so sanguine about "no one really being hurt"?

Automated hacking?

[ucblockhead]

Much has been made about the number of different client computers that had to have been hacked for this thing to reach the level it did against yahoo. Many have taken this to mean that there had to been some sort of organized effort. However, much also has been made about how the tools used were simple "script-kiddie" tools that require little knowledge, just the ability to follow some simple instructions.

When I hear something like "follow some simple instructions", I think "programmable". Is it possible that instead of some sort of organized group, this is the work of one guy with some sort of automated hacking tool that, once started, attempts to hack lots of systems, installing one of these DDoS clients?

Re:illegal?

[ucblockhead]

Say Amazon.com is down and I want/need to order a book. BarnesandNoble.com is up, so I'll just go over there and make my purchase. Boom, Amazon is out $20, and B&N is $20 richer.

You also have to add to this the chance that you say "Hey, I like this much better!" and then never go back to Amazon.com. They could be out a lot more than $20 in the long run!

Re:illegal?

[ucblockhead]

When you chose to live 50 miles from work and relied on your [car] and it dies do you feel cheated?

No, but if I chose to live 50 miles from work and relied on my car, but couldn't use it because some idiot kids were joyriding in it this morning for a couple of hours, you're damn right I'd be pissed!

(And I wouldn't excuse the whole thing if they brought it back in one piece, either.)

Long term solutions?

[LinuxParanoid]

Short-term, your tools help act as "virus-checker" type solutions. In terms of long-term solutions for DoS+spoofing attacks, the main one I've seen proposed is to convince all ISPs to filter their outbound traffic to prevent outbound spoofing of packets claiming to come from other networks.

Given that IP spoofing is a fundamental flaw in IPv4, does this rise of spoofing-abetted DoS attacks increase the potential value of moving networks to IPv6 (with its per-packet authentication headers)? What solution would be best from your point of view?

--LP

Re:Long term solutions?

[LinuxParanoid]

One would never do this with "every router"; at most, one would do this with routers on the "edge" of your network.

Even then, you're imposing a burden on routers and more importantly router administrators to configure each router appropriately. And (somewhat like IPv6 adoption), you are requiring everyone on the Internet to adopt a proceedure and process to make up for flawed technology. I'd call that a fundamental flaw.

--LP

Re:Other methods?

[LinuxParanoid]

On point three, you don't seem to get it. You can't put fake info in their IPv6 packets without detection (and discard) being possible at each router in the network thanks to the authentication header (which acts like a digital signature.) IP spoofing can't be detected at the packet level unless you can make sufficient assumptions about the ever-changing network and program them into each of your routers.

And back to point two, tracking compromised systems is a huge benefit since it A) speeds up the time to shut down/notify offending sites *much* more rapidly, even if they were hacked, and B) makes things much riskier for the hackers attempting to carry out such attacks.

--LinuxParanoid

Re:Why exactly should the average citizen care?

[outlier]

Could someone give me a good example where a couple of hours of time really matters in a situation where I could just get off my lazy ass and just get the same item from a "real" store?

Imagine you've got an account with e-trade and you want to sell some stock that looks like it's gonna drop like a brick and cost you a fortune. You try to log on, but are unable to, thanks to some lazy cracker wants to bomb a site with IP packets.

You lose the money, start drinking, become depressed and easily agitated, yell at your spouse/SO for leaving the cap off the toothpaste, leading the neighbors to call the police, you get arrested, spouse/SO leaves you, you get gang raped in jail, mortgage the house to get out on bail, continue drinking, get fired, spend all remaining money on a lawyer, bank repossesses the house, you're now not only a geek, but a homeless geek with an arrest record, children point at you, John Markoff writes a column calling you the most dangerous homeless person in cyberspace, sells the rights to the movie for $1,000,000, eventually, fed up with the horrific tail spin your life has entered, you decide to kill yourself, however, something goes wrong and instead you become a vegetable, "you" then live out the remainder of your days being fed through a tube in some underfunded hospital while there is just enough neural activity in your otherwise dead brain to cause spasms in your vocal chords that cause your labored breathing to sound like you're saying "sell, sell" over and over, much to the amusement of the night cleaning staff.

Re:Why exactly should the average citizen care?

[java.bean]

How many people worldwide do you think have died of lung cancer caused by cigarettes?

Re:Why exactly should the average citizen care?

[java.bean]

I made no such comparison. I provided an example for the statement that no corporation had ever killed 6 million people.

Question for Mr. Dittrich

[Silicon_Knight]

First of all, as a former employee of Communications and Computing, and a lurker on the UW Linux group mailing list, contragulations on your recent achievements.

For those who wishes to learn about network security, what resources do you recommend (to learn from?) How does one go about learning about about network security, and how does one go about testing his knowledge on network security?

With the increasing commercialization of the internet, and "high stakes" website (such as online banking, ETrade, etc) there will be more and more need for a "security administrator". Currently there are standards in which IT professionals can be certified for system administration (such as Novell certification, MCSE, etc). Do you see a need for basic "security admin" certification and if so what are your suggestions as to implementing them? Do you think UW (or other colleges) for that matter should teach courses on network security?

-=- SiKnight

Steve Jackson Games??

[UnknownSoldier]

> Steve Jackson Games happen to me

What happened to them??

Re:A solution

[bjcopeland]

I work at a very small ISP and we even have filters in place. Let's say you have two interfaces: T1 (WAN) and ethernet (LAN). LAN has the subnet 168.0.0.1/24 and WAN has IP address 10.0.0.1/30 (examples) with routing between the two (bridges are just plain stupid in all senses of the word). All you need to do is deny incoming packets (from the WAN) to 10.0.0.1 from 168.0.0.1 as well as all TCP packets that don't have the ACK flag set properly, don't use NFS or RSH or FTP without SSH, use NAT with dybamic port mapping for port 80 and you're set. If I were in charge of Yahoo! (I'm not even close) I would fire my Network Operations people and give my ISP hell. The only way we are going to stop this kind of malicious (yet useful) behavior is to

1) Have ISP's make it standard operations to employ anti-spoofing filtering techniques

2) Businesses who are served by those ISP's also employ filtering techniques along with using a DMZ AND employing TCPd, etc.

It seems like a no-brainer to me. I know its possible to "pretend" to be an IP that you're not but what about the "ACK" flag? Were these UDP packets? Am I making no sense? It just seems too obvious.

A bit offtopic, but YAY /.

[Duxup]

With all the WAY inaccurate information in the previous article about the recent DoS attacks (and in the news) and such I'm glad to see /. is going to someone who has some good info and is involved in the whole deal. YAY /. for maybe even raising the bar for the media elsewhere.

Re:A bit offtopic, but YAY /.

[Duxup]

I did say "maybe" for a reason.

Re:Why exactly should the average citizen care?

[Eponymous,+Showered]

Damn, where's my moderation points when I need 'em? Now my co-workers have no doubt I'm demented, laughing away in my cube here.

Re:Why exactly should the average citizen care?

[johnwerneken]

Mega dittos. To use a phrase I don't often admit to.

As part of the wild life and as a lover of the wilderness, I'm so glad to see a post here without the anarchist-paranoid party line. Without the general public's support, both direct and indirect (through firms they patronize as well as through policies adopted by the government), there would probably have been no Internet and certainly there would have been no world wide web.

If people with good to excellent understanding ignore these net reliability issues, then people of little to no understanding will deal with them. Perhaps ending privacy and annonymity as we know it.

Personally I suspect that securing 10,000 networks belonging to corporations, universities, and others with big fat pipes would go a LONG ways to denying the average script kiddie any base for these DDoS attacks.

Re: Please provide find_ddos source code

[vyesue]

wow, you're exceedingly clever, what with this pat response and all. should I post my concerns again here verbatim, just for fun?

Re: Please provide find_ddos source code

[vyesue]

We're entirely unworried about someone breakign into your machines and trojannign the code you're distributing. thats what md5 checksums are for, and that's why everyone uses them.

What we're concerned with is the fact that you want us to run precompiled code. We don't know what this code does, because you won't release the source to it. We don't trust your assurances that it does what you advertise, and we're not about to potentially compromise our machines by installing government software on them.

What are you hiding? Surely you know that if someone really wants to get around your scanner, they'll take the time to disassemble it and figure out how they're being scanned. The average person responsible for doing actual work, however, doesnt have that type of time at his disposal; Joe Sysadmin is going to laugh at your attempts to get him to run untrusted software.

Re:Firewalls for Dummies?

[fougasse]

A home computer is a powerful weapon, compared in danger to a car? Excuse me?

First, I'll take your wager any day. I'd say that a few hundred thousand dollars of damage could be caused in under an hour using a car -- just plow the car into a house and let it burn. Now, how exactly are you going to, in one day, cause hundreds of thousands of dollars of damage using your home computer? Answer: you can't, unless you're an incredibly skilled cracker. If it was this easy to cause damage using a computer, then people, who have a strange tendency to enjoy causing damage for no particular reason, would already have caused huge amounts of damage, and would do so on a regular basis.

Requiring a license to use a computer is simply laughable. Licenses are required to drive a car because if you don't know how to drive, chances are you are going to kill someone. I know many people who know next to nothing about computers. Incredibly enough, none have either killed someone with their computers or caused any damage of any kind! Requiring a license to use a computer makes about as much sense as requiring a license to use a telephone, i.e. absolutely none.

And by the way, all the conditions for the apocalypse you predict are in place. @Home has over a million subscribers - that's at least 500,000 relatively clueless Windows users with always-on connections. And what's the worst that has come of this? Probably the use of open Wingate proxies to post spam (a problem which has since been solved by scanning).

And by the way, please don't use the word "stupid" to refer to the computer illiterate; they're not. They just don't know how to use computers. "Stupid" could apply equally well to someone who regularly makes spelling & grammar mistakes. (Examples of these can be found in the post I'm replying to and 90% of Slashdot. And possibly this post too.)

Re:Firewalls for Dummies?

[fougasse]

What you're doing is known as arguing without an argument.

"You are a fool if you think you can cause more damage with a car than a computer". Why? Discuss. How, exactly, could you or your average home user (not some mythical supercracker) cause hundreds of thousands of dollars of damage in a day with a computer? My answer was, and remains, that you can't, otherwise people would do so on a regular basis. You haven't provided any evidence to back up your claim...

I never contested that some put a price on human life - I believe that that has nothing to do with what you're arguing, though.

US (I'm not a US citizen, by the way) export restrictions on supercomputers: first, this is a bit of an out-of-date policy. Even so, though, the purpose is mainly to prevent government intelligence from using sophisticated analysis & encryption software; it has nothing to do with cracking or DoS, as this can be done using a plain old computer.

"Did you know that dip shit". If you're going to propose major government changes, please learn basic social skills. And it's spelt "dipshit".

As to @Home and RR being a hazard: of course they are. Not a hazard on the level of 4-year-olds driving, though. And not a major, apocalyptic hazard either; millions of people already use these services. My head isn't in the sand, it just isn't on another planet.

Motivation

[Zach]

While DOS attacks are usually viewed as pranks by bored teenagers (which they usually are) these attacks seem to be much more serious. In your opinion, what is the motivation behind the people/group behind these attacks? What exactly are they trying to accomplish?

Re:illegal?

[msanto]

So if I vandalize your car or damaged the road in front of your house preventing you from driving to work, you wouldn't pursue criminal charges against me (or any other punishment)? Since you made your choice, you'd just live with it?

Few people would agree with you in this example...

Re:Why exactly should the average citizen care?

[frode]

grep

Re:Why exactly should the average citizen care?

[shazam*]

So an attack against a business that thousands of people rely on for their livelihood is good, but an attack on a smaller site is bad?

If sites are being taken down, one of two things are going to happen.
1) Business is going to abandon the net, and you can go back to your dial up bbs
2) Legislation, rules, tax dollars to fight "cyber crime" instead of poverty, hardware and software fixes that will limit what you can do with the net.

Who gives a shit if the FBI is involved.
You know things are serious when the wall street journal is involved.

Try to get over the "Large Corporation = Bad" thing, it smacks of hypocrisy.
Until you can build our own computer from the dirt in your back yard, you are going to have to live with the fact that the large corporations of the world have improved your life and the lives of 99.9% of the people you will ever know in your life.

The consumers have spoken.
They don't want a wilderness.
They want a park.
If you want to maintain any semblance of wildlife, try to keep them from attacking the nice people in the cars.

You don't have to agree with it, but you may have to live with it.

Re:Seriousness of the Smurfs

[shazam*]

I like to think that it's the giant mushrooms.

Why exactly should the average citizen care?

[slashdot-terminal]

Considering that the targets of these attacks have been large corporations and such I ask this.

Why should I as the average net citizen and as a citizen of the United States care that sites are being taken down. And since the FBI is involved does this mean this is a serious matter?

Re:Why exactly should the average citizen care?

[slashdot-terminal]

Maybe because you'd like to buy something from them?


Could someone give me a good example where a couple of hours of time really matters in a situation where I could just get off my lazy ass and just get the same item from a "real" store?

I really wouldn't mind getting some fresh air and still getting what I wanted from the store while not depriving people of freedom because some lazy cracker wants to bomb a site with IP packets.

Re:Why exactly should the average citizen care?

[slashdot-terminal]

I really believe the motive is money via stock price manipulation.

So you think that this is a form of sophisticated industrial terrorism? That seems highly unlikely.

Taking down a dot.com company is like grounding an airlines fleet.

I surely hope that the internet concept of business is not the dominate form of doing business and that no other could be done to the level that an actual place of business becomes secondary.

Re:Why exactly should the average citizen care?

[slashdot-terminal]

Pardon my flame, but what an idiotic question.

Pardon my counter flame but I really was wanting to ask the individual who came up with this information exactly what *HIS* opinion on such things. However I will continue to remain civil throughout this discussion and not get overly excited.

First of all, corporations are owned and run by citizens. And what exactly does "average" mean? Anyone not like you is automatically a non-citizen and not deserving of protection under the law?

Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

Corporations because like so many of the people here have said are EEEEEEEEEEEEVVVVVVVVVVVIIIIIIILLLLLLLL and are akin to the Third Reich in their effect. Well I guess those widdle ol' corporations can just fend for themselves now that the heat is on or will you just moderate this down and just continue to think that the world is comprised of people who like money and moeny makers.

I mean average man is not a person who could easily buy a large mansion in southern France and who has real worries and real concerns that do not seem like he belongs to the court of Louis XVI.

Second, even if the attacks are against corporations not affiliated with you personally, others just might want to use the services they offer. Some of us even like the services they offer. Not to mention that attacks against them cause
problems for sites in the general subnet vicinity (which might be some non-profit socialist site that you like).

Nope can't say that I use the internet on a daily basis to satisify my hunger for stuff. I have only bought on the internet 2 times for a total of 3 items and that was only because I couldn't very easily get what I wanted at a store (debian CDs)

Lastly, the FBI is involved because this is a very serious matter. It was an attack on the economic infrastructure. Maybe it's not a huge deal right now, but the net is becoming more and more important to the economy (particularly
business-to-business services), and it's time to nip these idiots in the bud, and throw them in jail for twenty years to send a very strong message.

What that "The Business of America is Business" --Calvin Cooledge 1924. I really hate business and it's related power. That's why I got involved in CS because I didn't want to spend the rest of my life counting someone else's money for the rest of my professional career.

I can't even now see that a large portion of money is actually being transfered online versus traditional methods I would love some hard data to back up your claims.

Re:Why exactly should the average citizen care?

[slashdot-terminal]

Uh, and exactly who is supposed to decide who gets protection under the law? Perhaps everyone who has over a certain amount of money should be just thrown in jail, since we know they couldn't have actually earned it. They must
have stolen it by exploiting "average" citizens.

I could say that if one were to get at least $1,000,000,000 that said person has most likely defrauded some person or done something dishonest in their lives. That is a fact that I am at least 99.9% sure of.

Largely to get more money than anyone else infers that you have some very large advantage over others with similar levels of work. I think that parly is bad. One could say that perhaps because I don't cheat people I am making less money than you if you do. That is what is bad.

In fact, you've convinced me. By your standards, I think you're too rich to deserve protection under the law. I mean, it's pretty darn easy for you with your expensive computer, etc, when people are starving around the world.

Wish I could show you my computer some time. Incidentally the computer I am writing these posts dosn't even belong to me. I have a piece of shit for a machine. Sure if you want to to condemn me for at least getting something that would work half way decently then perhaps I am guilty of that.

I would almost bey $1,000,000 dollars that you in fact have bested me in the PC hardware arena any day of the week. However the people who are in other countries are in fact largely there because of policies that their government's took in the past which essentially made their countries less avaible for advancement. I really can't change history and neither can you.

So all that matters is what's important to you, I see. Yeah, that's a rational outlook.

It's called desperation I sure you have never heard of it either. Essentially when you have called every retailer or wholesaler in a 200 mile radius for a product you are forced to look to your only other option avaible to you. I was forced to use the internet to get what I wanted it was not a choice that would have resulted in getting the product to work properly without the choice so therefore I made the choice.

I already stated that it's "not a huge deal right now", but the time to nip it in the bud is when it's not a huge deal.

I really don't think that using the internet will ever supplant the traditional means of shopping at all. You may think so and others may think so but that would mean that business will crawl to a slow pace and that half of everyone will be going broke if they actually try to run their own business. Eventually this will gain even more power for corporations and take away your power.

I think I've been probably been taken by a troll.

Well haven't been moderated to that yet but I think with the sentiment that big business should be helped when things go wrong I guess I will be soon.

Incidently it is real hipocracy to think that corporations are evil and must be destroyed one minute and the next are the perfect angels of the universe the next. Which one is it? Make up your mind right here and now before you people do even more contradiction and say the Windows is the best and that the moon is composed of cheddar cheese.

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

Oh no, poor little Yahoo/CNN/Amazon/Buy.com might "lose" (in this context lose=not gain) a few million (like they'd miss it anyways).

Once again, corporations are not living entities. They are owned by real people. Have a 401K? Then you are possibly a shareholder in these companies, or one of the companies that do business with these companies.

Are you so blind from jealousy and envy of other's success that you can't see that real, average people are affected by events such as these?

Why should I take time out of my day for these guys? Besides, didn't your mommy teach you that its not nice to be a tattle-tale?

Ah, the David Cash philosophy. Watch your friend Jeremy Strohmeyer rape and kill a little girl, but it's none of your business.

Yeah, the FBI was a bunch of thugs for tracking down that guy.

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

Well, I guess I agree that twenty years might be a little excessive. Still, I think this crime is comparable to a lot of other white-collar crimes. Maybe five years.

I guess I'm just fed up with punks like this who feel they have to ruin everything for everyone. When I say "send a strong message", I mean not only the punishment, but these cases should be high-profile. "Interfere with the internet infrastructure == go to jail.".

I mean, what if we had roving bands of teenagers who went around shooting out tires on trucks on the freeway (let's say at low speed)? And it caused massive traffic jams because of all the stuck trucks. While they aren't technically killing anyone, they are costing a lot of wasted time and money, and should/would be delt with harshly. I see these fools in the same light.

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

I could argue that telnet sucks in windows but I'm sure you could explain to me why it is the best.

I didn't say that every Microsoft application was the best; I said that there is no client application under Linux that is better than the equivalent one that runs under Windows. If you don't like the standard one, there are zillions of other ones.

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

You are not a machine full of facts, you are a man full of opinions, so maybe you should restate that as...

Actually, I state it that way intentionally in order to challenge someone to name a client app that was better. I mean, what you say is true, but rather obvious, don't you think?

In fact, you may have noticed I just changed my sig to reflect this very question. A CVS client might or might not be better; I'm not sure. But my intention is to stimulate thought as to why Open Source has failed so miserably in the area of client apps, while it has been quite successful for server apps. Particularly here on Slashdot where Open Source dogma needs some shaking up.

In fact, some of the development apps are actually starting to catch up (read: not suck), which is not surprising since that would be an area that people would naturally want to improve upon.

So, just for you, I will restate the question as "normal user apps" rather than "client apps", which is what I really meant.

you forget that the Linux Zillion+one clients are also as good if not better...

But that's just it. Where is this mythical "better" one? But telnet is such a simple, puny program that it's really beside the point. Where is a major, "killer app" for normal users that is clearly better than Windows?

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

Pardon my flame, but what an idiotic question.

First of all, corporations are owned and run by citizens. And what exactly does "average" mean? Anyone not like you is automatically a non-citizen and not deserving of protection under the law?

Second, even if the attacks are against corporations not affiliated with you personally, others just might want to use the services they offer. Some of us even like the services they offer. Not to mention that attacks against them cause problems for sites in the general subnet vicinity (which might be some non-profit socialist site that you like).

Lastly, the FBI is involved because this is a very serious matter. It was an attack on the economic infrastructure. Maybe it's not a huge deal right now, but the net is becoming more and more important to the economy (particularly business-to-business services), and it's time to nip these idiots in the bud, and throw them in jail for twenty years to send a very strong message.

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

Gnerally there are groups that I would think have a better chance to "fend for themselves" so to speak. I think we all could agree that Microsoft is not entitled to such protection because they most likely could easily hire their own private army of assassins to do so form of quasi-legal garbage and just might get away with it.

Uh, and exactly who is supposed to decide who gets protection under the law? Perhaps everyone who has over a certain amount of money should be just thrown in jail, since we know they couldn't have actually earned it. They must have stolen it by exploiting "average" citizens.

In fact, you've convinced me. By your standards, I think you're too rich to deserve protection under the law. I mean, it's pretty darn easy for you with your expensive computer, etc, when people are starving around the world.

Nope can't say that I use the internet on a daily basis to satisify my hunger for stuff. I have only bought on the internet 2 times for a total of 3 items and that was only because I couldn't very easily get what I wanted at a store (debian CDs).

So all that matters is what's important to you, I see. Yeah, that's a rational outlook.

I can't even now see that a large portion of money is actually being transfered online versus traditional methods I would love some hard data to back up your claims.

I already stated that it's "not a huge deal right now", but the time to nip it in the bud is when it's not a huge deal.

I think I've been probably been taken by a troll.

--

Re:Why exactly should the average citizen care?

[Tim+Behrendsen]

Largely to get more money than anyone else infers that you have some very large advantage over others with similar levels of work.

In my experience, that is simply not true -- on balance. Does it happen? Of course; there will always be bad people in the world. But yes, on balance, those that work the hardest get the biggest rewards. I think where you get off track is in the definition of "hardest". Ditch diggers work very hard, but that doesn't mean they deserve to be millionaires. On the other hand, the president of a large multi-national corporation probably looks to a lot of people like he has a cushy job. However, what he has is the ability to manage a monster organization like that, and not many people can do it. That's an incredibly difficult job.

However the people who are in other countries are in fact largely there because of policies that their government's took in the past which essentially made their countries less avaible for advancement.

A surprisingly rational statement. However, it's the unequal distribution of capitalism that keeps their economies down. In other words, the lack of the corporations that you loath.

I really don't think that using the internet will ever supplant the traditional means of shopping at all.

Why does it have to be all-or-nothing with you? Even Jeff Bezos says that he doesn't think e-commerce will supplant bricks-and-mortor. But that doesn't mean it won't be huge, particularly for business-to-business. B2B will probably be larger than the consumer space, because that's where linking supply-chains really makes sense.

Incidently it is real hipocracy to think that corporations are evil and must be destroyed one minute and the next are the perfect angels of the universe the next. Which one is it? Make up your mind right here and now before you people do even more contradiction and say the Windows is the best and that the moon is composed of cheddar cheese.

Again, why does everything have to be all-or-nothing with you? Corporations are not living entities; they are owned by real people with real lives and real families. Are there evil people in the world that have abused workers or consumers? Of course. But so what? That's why we have laws. What does that have to do with the legal construction known as a corporation?

And by the way, Windows is the best. Of course, the rub is in the definition of "best". Most consumers define "best" as the platform that supports the most applications, which is where work gets done. And the client end-user applications under Windows are far superior to anything else, particularly Linux. Not one client application under Linux is superior to the ones in Windows. Not one.

--

Re:Why exactly should the average citizen care?

[orangecat]

Well, besides the fact that the average citizen's freedom, anonmity, and enjoyment of the net are at risk because of the actions of these people...

Average citizens should care because 99% of the time, average citizens are the target and/or their connections are the ones being used in order to perform the attack.

DoS attacks have been a problem for years. Unfortunatly, it takes attacks against large corporations for the media/general public to pay attention to the problem.

Also, remember the capability that this shows. They've shown that they can take down very large sites. Yes, these sites may not be the most important things in the world to you. But just because they haven't aimed them at something you care about yet doesn't mean that there's no reason to care about the problem as a whole.

Re:Why exactly should the average citizen care?

[timmyd]

Not one client application under Linux is superior to the ones in Windows. Not one.

Yes, this is an opinion. If best means a platform that supports the most applications, how can a closed-source operating system be better than an open source one? With closed source, the only support comes from the documentation; open source is a documentation in itself and allows anybody to write their own. I have trouble seeing how closed-source can support more.

The part about client applications being better in windows is your opinion, because it isn't possible to prove either way. I could argue that telnet sucks in windows but I'm sure you could explain to me why it is the best.

Re:Why exactly should the average citizen care?

[timmyd]

actually, to get the full list type:

ls -1 /bin /usr/bin /sbin /usr/sbin

...my opinion ;)

Re:Why exactly should the average citizen care?

[john@iastate.edu]

Maybe because you'd like to buy something from them?

Re:Why exactly should the average citizen care?

[Forrestina]

"and it's time to nip these idiots in the bud, and throw them in jail for twenty years to send a very strong message."

This is just wrong. "sending a strong message", is bullshit, and it's wrong. They should be punished for the crime. NOT for more jailtime than for, murder, rape and a plethora of other violent and hurtful crimes. These only cost those behmoth corporations money, somthing they have plenty of.

I am not supporting these crimes, they are crimes, however, the punishment should not exceed the crime. there should be no "Sending a Message".

-------

Re:Why exactly should the average citizen care?

[turbodog42]

Well a company like Amazon could probably be very accurate about how much business they lost. A ton of money flows into Amazon every day. In the Oct, Nov, and Dec 1999, they took in about $676 million. So 2 hours of downtime could cost them 676m/90 days/24 hours * 2 hours = $626,000, over $5,000 a minute.

Re:Why exactly should the average citizen care?

[348]

Along the same lines, I always enjoy the copanies who claim they have lost gazillions of dollars due to the hack. I know theres money invloved, but the costs allways seem to be very inflated.

Re:Why exactly should the average citizen care?

[348]

5K a minute is chump change to them.

I run revenue streams for companies like this and I can tell you the numbers that they attribute to loss are greatly exaggerated. They do it because it is more ecenomical to write it off as bad debt(LIN also includes general corp losses) and take the tax break. The more they report as bad debt, the bigger the tax break. Makes quarterly reports look very good at the top and then they bury it deep inside the report. DoS, Hacking, Fraud, Employee theft etc. all this goed into that line item.

Re:Why exactly should the average citizen care?

[mangu]

Okay, I'll name one application tha's better under Linux: Netscape Navigator, which I'm using right now.

Netscape itself has some bugs, which make it crash from time to time, particularly when running Java. It has these bugs in all its versions, Linux, Windows, or Mac. When it crashes in Windows, one has to reboot the machine, losing some five minutes. When it crashes in Linux, I find the process id with the command:

ps aux | grep netscape

abort the process:

kill -9 pid

and restart Netscape.

Okay, you will say that IE5 under Win98 is "better" than Netscape, but I beg to disagree. IE5 accepts a lot of commands that leave me entirely at the mercy of unscrupulous site administrators.

Just to give an example, I was once surfing a computer related usenet group, when the first message was a porno site spam. Just by *opening* that (non sex related!) newsgroup, IE5 automatically opened the spam message, automatically opened the porno website, popped up a lot of banners, and opened a "join now" page. That page had an "on exit" Javascript routine that opened the home page for the website, starting all that bullshit again. Solution? Yeah, you guessed it, reboot! 5+ minutes lost, while searching for a job related information.

Of course, I can turn off Javascript, but then IE5 under Win98 will be worse than Netscape under Linux, because it will be unable to run Javascript.

I do not use Linux because I'm a zealot. I use it because it's the most practical and convenient system for my end-user applications. I first got Linux five years ago (Yggdrasil Plug-and-Play), but didn't use it at the time. After installing it, I found exactly what you have said: there were no good end-user applications at that time. Since programming the OS itself was not my purpose in life, I removed Linux from my system. However, about a year ago, I gave Linux another try, and found that much better applications had been ported to it. I only boot my home computer in Win98 now to play some games.

troll, ...They lived in mountains, sometimes stole human maidens, and could transform themselves and prophesy...

Re:Why exactly should the average citizen care?

[Joe+Schottman]

How about the fact that broadband DSL and cable companies will see DoS attacks coming from unsecure Linux boxes, and ban all non-approved Operating systems? Or ban all servers, and portscan you every so ofter to check up on what you're doing? Now when you call $BigCableCo about getting your Linux/*BSD/OS/2/C-64/whatever on their highspeed connection, they have a reason to say no.

How about the fact that as a high traffic, high profile site that has been mentioned frequently in the media recently, Slashdot may be next?

Re:illegal?

[slashdot-terminal]

But I have perfectly functioning DSL, so I sold my modem and can't dial up anymore. What would I do then?

For how much? A couple of bucks? I am sorry if you can afford DSL I don't think your hurting and if you can access E-trade I would especially say your not hurting at all.

I have access to only at 2400bps modem at home does that mean that it is a crime if I don't have a local number for a BBS to E-trade? When you get some technology you become dependent on it. When you chose to live 50 miles from work and relied on your can and it dies do you feel cheated?

I say you made the choice now live with it.

Jailtime?

[Esperandi]

Do you believe that all people who launch DoS attacks, from these guys doing them on a large scale down to the guys using exploits thru IRC, should be jailed if it can be proven that they committed the crime or do you believe it to just be part of the Internet culture?

Esperandi

Anti-online

[Quintin+Stone]

Did anyone else see John Vranesevich on the Today show this morning? He seemed to field all of the questions okay (I was still half asleep at the time), but then you can't really expect hard-ball technical questions from Matt Lauer.

Overdone media coverage

[Yhcrana]

My personal opinion on this is that the media is taking this little problem way too far. Maybe I am just not paranoid enough (I did however read the link in the article yesterday about this being the government performing these DOS attacks).

Explanation>/a >

The facts about this are that some large sites get taken down for a few hours, the world panics, the media panics, the average citizen panics, legislation gets passed to allow the government to interfere in our lives. Maybe I AM paranoid, but the above link seems to make me a little wary (as if I wasn't wary enough already) of the government.

Final notes on this....:

• Overated
• Overdone Media
• Government sponsered (just speculation)

I just get sick and tired of all the friggin media coverage at 12:30 AM when I just want to find Dragon Ball Z on Cartoon Network.... Not to mention that now whenever I go to ANY channel all I hear about is the airplane crash (tragic) and the DOS attacks (or hackers as 99.9% of the news shows call it) Yhcrana

Re:Overdone media coverage

[Yhcrana]

AH SH*T... forgot the preview button

Question to ask

[dsussman]

The versions of detection software are for Unix/Linux platforms. With the proliferation of Win95/Win98/WinNT systems on cable modems, aren't many of these systems potential unwitting drones because of their relative lack of security of any kind? When will we see Win 32 detection software? Or have the attacks all been sourced to Unix/Linux boxes? New question: What efforts are being made to calm the public fears of lost data or insecure ecommerce sites when that is not the purpose or capability of a DDoS attack? Downtime is bad, but why panic the masses? Let the techies fight off the bad guys...

A solution

[Dirtside]

Couldn't this whole problem be obviated by having ISPs modify their routers not to allow packets out that don't have a legal source address? If you're FlashTechComNet, and your entire network is under the address (say) 127.0.x.x, then if you just make your routers drop outgoing packets that have source addresses not in that netmask, doesn't that prevent this kind of thing? Obviously you can still try and flood someone, but you're going to have to be using IPs from that subnet, which makes you much easier to catch.

Re:welcome to the new slash-dot!

[Codex+The+Sloth]

in 90% of cases the final editorial control will rest with Rob Malda

So what happens in the other 10% of cases? The Men in black get to decide. Isn't it the 10% that really matters anyway?
I don't have a problem with the merger per se but your not giving me the warm fuzzies...

Why is it too difficult to trace??

[rbreve]

with tools like sniffers, tcpdump, ipchains, we can see exactly whats happening in our network or website. A site like yahoo must have all the logs, so, if there is a DDoS we can track the ips, then find out where the floods come from, check the computer with that ip and find out what is causing the problem, maybe its a worm or a trojan like BO or something like that, but someone is controling that work/trojan from outside, by studying the logs from the computer that have that worm/trojan it is posible to find out who is controlling that trojan. Is that a way to find out who is doing the attacks?

Re:illegal?

[niekze]

ahh..but thats the whole point. Sure its happened to you and i before as well as scores of other people. But when it happened...it sucked, your modem cut off and you just went on. Thats the net...its crazy.
But, now big companies are getting attacked. Seems the whole world wants "justice". Only the corporate sector gets attention. Sure you could say that is because it is more noticeable, but with that advantage, The big get bigger.
I read about that kid who got into the AOL system and downloaded some shots of the upcoming 6.0 release...AOL didn't like that he put it on his site. And for some reason, he was DoS'ed for hours....I didn't see that on CNN, NBC, ABC, or CBS...

illegal?

[niekze]

Are these attacks really illegal? Are companies really loosing money? I see this as a form of protest (possibly) and if you were going to buy a cd from amazon and it was down...you could always come back later or go somewhere else. So what type of individual(s) do you think are responsible...perhaps a profile?

Re:illegal?

[orangecat]

Yes, they are illegal, under Title 18 Section 1030(a)(5) United States Code. (And, I believe, other laws as well, but I can't remember which off the top of my head)

People need to stop thinking of this as a minor inconvienance for large corporations, and examine the real damage that can be done using these tools.

Say such attacks were aimed at a small ISP on a regular basis over a period of weeks (months, years). This ISP is going to lose a lot of customers due to the attack. They may never be able to recover financially from the attacks.

Or what about the innocent user who happens to get on the bad side of some script kiddie? This user has a static IP, and is stuck without his internet access for however long the script kiddie decides to keep it up.

Or what about the university with hacked accounts on its systems which are being used for outgoing attacks, using up all the university's bandwidth and dropping them off the net for hours at a time, days on end?

These things happens every day, and have for years! These attacks didn't just suddenly pop into being with the large corporations - those are just the first the media payed any attention to (and thus, the first many people heard about)

I personally have either experienced, or know people who have experienced, all of the above.

And someone described these "protests" well in another post:

Its one thing to tie yourself to the gate of a nuclear power plant in protest.

Its another thing entirely to grab some innocent bystander off the street, tie them to the post, and then go home and drink hot cocoa or whatever.

These attacks are being committed by breaking into computers and using their bandwidth. Would you agree that this, at the least, should be illegal?

Re:illegal?

[turbodog42]

But I have perfectly functioning DSL, so I sold my modem and can't dial up anymore. What would I do then?

Re:illegal?

[turbodog42]

So by your logic, I should get some cans and string and run them between me and the 911 dispatch office in case someone were to DoS attack the 911 system? Or how bout this case, should I not feel sorry for you if you're being taken to a hospital in an ambulance, but some idiot on the road won't get out of the ambulance's way and you happen to die before you reach certain lifesaving at the hospital? The road hog denied you an important service. I'm certainly not saying E-trade is as important as 911. But my point is that someone asked "how does this affect me"? E-trade provides a valuable service to a lot of people, most of whom are not fat cats and/or day traders, and denying them access to that service can really hurt them. There is probably is some web service that you (or your job) depends on somehow and if it were DoS'd at a critical time you be pissed too. And you wouldn't want some jackass to say "well you shoulda planned for that".

Re:illegal?

[kwsNI]

e-Trade has it's own Dial-up server that you can dial if their internet site is down.

kwsNI

Re:illegal?

[kwsNI]

Out of pure jealousy, it gives me great pleasure to say: You're screwed! :)

kwsNI

Re:illegal?

[busman]

Take you finger and use the 'phone?

Re:illegal?

[Minty+Toothbrush]

If your day trading were really important to you, you would plan for this eventuality, and invest in a $30 56K modem.

Failing to plan is planning to fail.

Minty Toothbrush


If an infinite number of monkeys typed at an infinte number of

Re:illegal?

[Wyntermute]

Well, at the very least it could be considered a form of vandalism, I suppose. It's distracting from the actual use of the site. Kind of a stretch, I know...but I think a case could be made. But in today's "I want it, and I want it NOW!" economy, if a user cannot get into a site to order something, they'll go to the competition, and that translates to stealing from the affected site IMO.

Say Amazon.com is down and I want/need to order a book. BarnesandNoble.com is up, so I'll just go over there and make my purchase. Boom, Amazon is out $20, and B&N is $20 richer. Magnify that by (potentially) thousands of users, and you have a serious loss of cash. Besides, Amazon needs all the cash it can get so it can finally claim a respectable profit!!!

As for a profile, word from the hacker community (or is that h4x0r community?) is that this is some beginner cracker or whatever just flexing some media-hyped muscle. No one has even stepped forward to take credit for it yet. That's what the hacker community respects. This isnt' original, and actually seems to be disdained as the pointless antics of a "packet monkey". If it's a form of protest, the least the perp could do would be to put out something that says WHY they're doing this...

I'm guessin' that it's a teenager that has discovered some lit about DoS or packet flooding and is trying to see what he can get away with. He may be part of a local group, but by the fact that he's not left any sign for recognition or credit, he's afraid (really afraid) of getting caught.

Then again, I'm just a whitebread programmer in the burbs...what do I know?

Example of why people should care

[orangecat]

Post #121 of this thread is a perfect example of why people should care.

When someone uses DoS attacks to take out 100% of a large university's bandwidth over a frigging IRC channel, there's a serious problem.

I dont believe packet spoofing is the real problem

[Darwin2000]

I dont believe packet spoofing is the real problem. The current DoS attacks are using smurf type attacks. To do this they need to have networks that pass that kind of packet. Which is a ping to a broadcast IP of a larger network, where all people on the second network respond back to the forged IP in the packet.
Cisco routers already have a simple do not pass broadcast packets statement, that essencially kills this whole attack at its source.
The only problem not everyone on the internet knows this or has implemented it.
THE REAL PROBLEM is the server admins haven't put the correct patches on thier servers. Overworked/Lazy/Ignorant, serveradmins putting servers on the net makes it easy to take control. This is the problem, if people were to have an easy upgrade/patch mechanism and that automatically sent them email when a patch is out with options to autopatch the box would solve this.
Another solution would be someone notifying the sysadmins of the 1800+ networks listed as smurf sources that simple fixes are available for thier routers. I believe its just 1 line in the cisco config with no overhead that I can see. ISP's that connect systems to the net should require this to be on all routers connecting through them.

If you have a server on the net and you haven't installed Tripwire type security checks on it, you should rush over and sign yourself up at www.abuseme.com.

Lastly to put in the kind of logic suggested at the website listed in the article would add a huge amount of overhead and require layer3 switches as they sit now to be put out to pasture. 5.5 gigbits of IP throughput with 50+ 100mb ports would make it impossible to check everypacket source against a DNS alogrithim.

What's the hold up?

[mcol1]

Dave, good work on the site and the docs. Very useful info. What is the hold up with catching the perpetrators? If you are able to find a master, you should be able to catch the master's user, no? Are they using some phreaky method like (a) a phone line attached to a waterpipe, run to another building, or dialup provider in a "renegade" country, or are we dealing with corporation sponsored terrorism, or state sponsored anti-capitalistic mayhem?

P.S. As far as IPv6 is concerned, it is wonderful for many things but because IPv6 packets, by nature, consume tons of bandwidth for small packets, they will never be used for long distance traffic, such as traffic between major traffic centers. Unless of course we invent giga-giga ethernet and everybody stops using new protocols, like 3D video, which would inevitably get invented. But now I am digressing. IPv6 is not suitable for a lot of mainstream stuff we need, and especially not for real time protocols. VoIP comes to mind as a good example. And besides, the well touted reason that IPv6 support only exists in the latest apps, will remain a good reason not to deploy IPv6 for a few years at least.

IPv6 misinfo, correction

[mcol1]

Please check your facts. IPv6 doubles the average packet size for real time protocols with small packet sizes, like VoIP, which I specifically mentioned as an example. VoIP data is transmitted in very small packets, because delays must be kept to a minimum. Using IPv6 would double your bandwidth requirements.

Because VoIP data should take priority when transmitting data, its volume becomes a significant factor. Of course, if no network has bandwidth shortages, this is not an issue. Anyway, IPv4 and IPv6 can co-exist. IPv6 is necessary for the future survival of the Internet, because of the increasing demand for hosts. However, IPv4 is needed for real-time delivery of some data. It is possible to use IPv6 until your local router, and then have the packets reworked and transmitted as IPv4 packets to the destination. This is possible when the protocol is known. E.g. in the case of VoIP this is often done. (Well, I don't know about often, but I've designed an implementation myself and it wasn't too complicated.)

Yes it's illegal, very much so.

[shagoth]

Disrupting interstate commerce is a federal crime. Guess what, the net is interstate. It's time to accept the fact that while much of the net can slide quietly by many traditional laws, once you start playing games with things that violate federal statute the FBI notices. Moreover, the disruptions impacted the stock prices of the sites involved. The Securities and Exchange Commission is watching for people who might have profited as a result. Manipulating stock prices is illegal. I feel sorry for the poor schmucks who got lucky as the script kiddies did their deeds. Also, we add to the mix the Federal Trade Commission because of the interstate commerce issue. You start jacking with trade you bring all kinds of evils out of the woodwork. This is very bad. It's a shame, but some minimally clever h4x0rs are going to cost us all a whole lot of freedom once this all shakes out.

Further trends

[rise]

What trends do you forsee in the development of DDoS tools in light of the addition of encryption & remote update capabilities in recent months? Do you believe that tools to scan for clients, masters, and handlers will be able to stay close enough behind the improvements in stealth techniques to remain relevant, and if not what do you expect to replace them as countermeasures? (Other than, of course, the widescale implementation of good security.)

Jonathan Conway

Re:Firewalls for Dummies?

[thedude60]

What would a cracker want with home computers. Seems they are more interested in crashing commercial or govt sites. But it wouldn't hurt to be prepared. I usually leave my computer on day and night (for scheduled updates, downloads, etc.) For that matter is there anything quick and dirty to protect me against (h/cr)ackers?

Paranoia

[Nyarly]

It's been raised as speculation in my group of aquaintances that while the recent DoS attacks have been malicious and impressive, a better target for a truly effective DoS would be one or more credit card verification servers, since the effect would be much more far reaching (in that it would upset on line commerce across the world, rather than for any one site).

The question is, how reasonable is this fear? I would hope that credit instituions would run tighter ships, but I would also have expected companies whose assets all depend on their presence on line to be well defended as well.

Two for the price of one

[CunningPike]

Hi Dave,

I've got a couple of questions I'd like to ask. I thought I'd cheat and put them together in the same post.

1. There's been a lot of talk about how Linux/Solaris boxes where responsible for the DDoS attacks (slaves actually causing the DDoS).
   Is this true?
   and if so why do you think, with the multitude of Win 9x/NT boxes on the net, few or no NT machines were used?
2. How did you end up a Software Engineer and Consultant for C&C, University of Washington? Which companies did you work for? -- or did you stay in academia?

Cheers,

| What? you were expecting

Off-topic! Moderate this down!

[john@iastate.edu]

Well it is! :)

A fruitless exercise?

[john@iastate.edu]

In other words, my question is:

Isn't the intersection of the sets:

• Clueless enough to allow massive DoS out of their network.
• Yet likely to install this detector.

pretty darn small?

Questions.

[bons]

• What decent sites are there that offer security information for a variety of operating systems geared to either the average user or the power user?
• With the influx of dedicated connections, it becomes more necessary for the end user to put security in place, however the end user does not want to pay for these tools. Is there an easy to use freeware package that can deal with this?
• Given the following:
  • ISP companies, campus security, and companies that have connected all their machines to the internet tend not to have a good understanding of security.
  • Those that don't have a good understanding take a dim view of their customers that do.
  • It seems like the average security expert is a former "criminal hacker type" (mediaspace: a perception of reality defined by the media)
  What is our best hope for getting out of the dark ages of computer security anytime soon?
• What would give for odds on this being an attack by the following classifications:an individual, an organized group, or the federal government?

It strikes me as insanely easy to propogate this type of flood attack using a virus with this little dealie as part of the payload. If the virus kept track of the IP addresses of the machines it tried to infect it could be quite deadly. (send command to ping target IP to all possibly infected IP addresses using forged information then Ping target IP) The worst part is that the system could get recursive. (Machine X knows that it tried to infect machine Y. Machine Y knows that it tried to infect machine X. Commands bounce back and forth between them. Ouch. And tracing that one back would be close to impossible...

-----

Other methods?

[Dr+Caleb]

Dave,

There seems to be several solutions floating around, mostly smart routers that track valid traffic and MAC addresses.

Would changing to IPv6 help eliminate these type of attacks? From what I read of the specs on IPv6, all the data needed to track a packet from destination right down to the MAC address is included in the packet.

Thanks.

security dialectic

[Colbey]

How big of a problem do you see these DoSes becoming? Is this just another sway back to the crackers in the larger scheme of the computer security dialectic? Or is the nature of a DoS such that it will never go away?

-Colbey (Josh Rosenberg)

who is behind of the current attacks?

[roman_mir]

Hi Dave.

So what are your thoughts about the origin of the past attacks? Who is (or who are) behind them?

A disgranted employee? Unlikely, look at how many different sites are attacked.

A firm? Quite possibly, just look at ISS stock prices, they went up after the attacks (that company makes money selling security solutions for the internet.)

What about the range of targets? Yahoo!, EBay, Buy, CNN, ZDNet, Datek, E-Trade... If the attacks are originated by competition, then it's really strange that they are competing with everyone.

On the other hand, what about large IT Solution companies such as USWeb/CKS or the likes? Could they do it so that these sites would have to restructure or increase their back-end solutions, and more contracts would be generated?

Maybe it is an internet website insurance company? Quite possibly so. If symantec could release viruses to pull attention to their antivirus software (Norton), why wouldn't ISS or some insurance company do the same? What about medical care personnel releasing some deadly viruses like AIDS in order to get some funds to find the cure?

Some random cracker that is not associated with any organization? Then Why didn't he attack Microsoft first?

Microsoft? That's possible, they are going to release their new OS (Win2K) maybe this is just a game for them to show vulnerabilities of networks to some pinhead managers, and to try and push their new OS as a possible solution?

So, Dave, what do you think?

Someone claims to have traced the source.

[jjsaul]

In this article, the reporter claims that an anonymous source has traced the attacks to an adolescent.

http://dailynews.yahoo.com/h/ao/20000210/cr/200002 10031.html

Smells like BS to me, but I'll pass it on anyway. On a related point - remember the caning in Singapore a few years back? Hmmmm.

To start smoking is optional

[mangu]

To be taken to a concentration camp is not

troll, ...They lived in mountains, sometimes stole human maidens, and could transform themselves and prophesy...

It can be done with pigeons!

[mangu]

Tell you what, as soon as you figure out a way to send IP over smoke signals you let me know and I'll join your inquisition. ;)

look it up in RFC1149 - D. Waitzman, "A Standard for the Transmission of IP Datagrams on Avian Carriers"

troll, ...They lived in mountains, sometimes stole human maidens, and could transform themselves and prophesy...

Why, dammit, WHY?

[Chagrin]

Why, when no one has released any information as to the nature of these attacks, that everyone is so quick to jump on the bandwagon that this is a trinoo, TFN, stacheldracht, or similar daemon causing the trouble? How do we know that this isn't some kind of security hole in Cisco routers, or simply someone tapped into a large fiber cable (in some subway, sewer, or similar) launching the attacks?

A much better solution would be...

[Vandenzob]

A much better solution would be to see what getting connected to the Net really means. Any of these sites could have been victim of failing or misconfigured router, victim of legitimate over-use (hey ask any site that suffers from the Slashdot Effect ... heheh), a failure of the line provider (MCI, AT&T), a failure of the server hardware. It would have been the same: downtime one way or the other. So, why chase around for eventual culprits? (probably teens anyway)

They are buisnesses, THEY SHOULD GET INSURED for this and stop complaining about individual's actions on the Net. For god sake, these are predictable risks. does Greyhound calls in the FBI cause one of its bus was stopped as a tire got puctured by a broken coke bottle? Do we chase all soda drinkers for it and organise a manhunt? No, it's just part of the risks, so you get insured and that's it. Is that too pro-active for them to handle? Gee, any old fart from before the "MBA generation" would have seen that one comming.

I suppose those new companies need more mature managers.

Firewalls for Dummies?

[hiendohar]

With the increasing popularity of broadband, always-on connections and the increasing distribution of networking software, it seems like "Joe DSL" faces a greater risk of having his system compromised than before. How much can the average user be expected to learn about securing their system? Do you foresee developments, either in software, education or in other services that might help private computer users or small time administrators protect themselves better?

Media attention.

[kwsNI]

These DDoS attacks are all over the media. Do you feel that all of the media hype will be good to raise awareness about what can be done to prevent DDoS attacks in the future or is it just going to scare the average user?

kwsNI

DDos Motives?

[toaster_imp]

I was wondering if the motives behind these attacks are not just script kiddies out to have some fun or impress Jodi Foster, but if a foreign government may have sanctioned them. Perhaps for the purpose of sending a message to the US Government or to the world at large that they can shut down the web at will. In the history of human conflict any advancement in science is invariably used at some point to provide an advantage to one government over another. Up to now I have seen very little that would indicate that the web would become a new medium for launching terrorist attacks. Could this be changing? I would be interested to know if any computer security professional have given thought to this possibility.

DOS Hacker visits slashdot?

[brainchild2b]

No doubt that the persons responsible for that attack probably visit slashdot. lol

What about other devices?

[north.coaster]

Will the number of security threats increase as more things are connected to the network? Are the designers of Internet appliances making the same security-related mistakes as traditional computer designers? Should I be worried about someone breaking in to my HP printer? north.coaster

Metaphor/Analogy

[xeroh]

There have been many attempts to compare DoS "attacks" to other sorts of illegal activities. Do you have a preferred metaphor? or do you think that few analogies to other criminal acts carry over to DoS etc?

do the ddos daemon detectors have a back door?

[argoff]

I found it funny that thy were distributed in binary form only. Did the FBI put in a back door to spy on peoples computer systems??

Is it not the case that you can NEVER prevent DoS?

[DrWiggy]

Would you agree that it is impossible for large-traffic sites to ever be able to protect themselves from distributed traffic-generation attacks? I ask this assuming that the type of attack uses traffic that looks no different to 'normal browsing' traffic (which is probably the most difficult to detect). What's more, if there are analysis systems in place to detect such attacks, what measure can be taken to ensure that those systems themselves don't fall under the DoS attack by being flooded with traffic that they have to analyse?

Negative results != secure system

[HancockDC]

I have been using find_ddos since Jan 3, 2000, and have upgraded it when the new releases have been announced. The initial run turned up one older Solaris 2.6 box that had been compromised with stacheldraht. This was a sudden wake-up call, and I have modified my security practices considerably as a result.

Unfortunately the more I learn about root compromises and vulnerabilities, the more I wonder if negative results can be trusted.

I use tcp wrappers and tripwire, I comment out irrelevant services in inetd.conf, I peruse system logs and look for unusual login patterns by users (like logging in locally at 11 pm and logging in from Europe at midnight).

As these attacks become more sophisticated will we be able to trust our own senses and software tools to determine whether we have been compromised?
-----------------------------------------

What is the solution?

[foofc7ca]

While detection tools can help, it appears that there are many more unskilled and untrained administrators than there are ones who actively secure their machines.

This appears to be the underlying program, that large numbers of vulnerable machines are available for attackers.

From history, it seems that legislation has at best a mediocre track record, and in this case it would be tantamount to legislating intelligence on the part of system administrators (requiring an Internet Server License?)

And finally, while these first tools are primitive, it seems that one could make drastic steps in improving the efficiency and stealthiness (including commands like "kill target at some time and forward this message to other known hosts"), as well as improved attacks.

So, what can we as competent administrators do about the vast ranges of unsecured potential attackers?

A netscan-esque or UDP style blacklist of vulnerable subnets?

Active defense when these attacks occur, mindful of future attacks which might be indistinguishable from normal traffic?

Requiring government licensing of all servers?

DDos Virus

[Krakus+Irus]

Do you thing that it is possible to develop a DDos Virus : the first of may at midtnight all the infected compurters start the attack...

welcome to the new slash-dot!

[VA+Linux+Systems]

Dear Slash-dot user,

As many of you already know, Andover.net, Slash-dot's publisher, was recently aquired by VA Linux Systems , the premier provider of Linux-based, high performance server solutions. I am taking this opportunity to personally welcome each and every Slash-dot user to the new VA-Andover.net team.

Over the next few months. our master developers will be working with the Andover.net and Slash-dot editorial staffs to improve this site with enhanced reliability and brand new features. VA has donated four StartX MP servers , "tweaked" by the expert engineers who build these systems, to make Slash-dot a faster and more reliable service for all. These systems will be integrated with the current Andover.net hardware as soon as April 2000; look for an annoucement to be posted on the front page!

Some users have expressed some concerns about VA's aquisition affecting the content of news released on Slash-dot. Not to worry, as this has already been discussed, and in 90% of cases the final editorial control will rest with Rob Malda, or as you know him, Captain Taco! :)

With over six years of experience in the Linux world, VA Linux Systems is well suited to help bring Slash-dot into the 21st Century and make it the first stop on the Net for Linux news and discussion! I'm looking forward to it!

Yours truly,

Larry M. Augustin
President, Chief Executive Officer and Director
VA Linux Systems

P.S. - In the next few weeks, look for links to special deals on VA Linux computers available only to Slash-dot readers! Just our way of welcoming our new team members!

VA Linux / Slash-dot Giveaway -- enter today!

[VA+Linux+Systems]

As promised, VA Linux Systems will for a limited time be offering special deals on hot VA Linux computers to Slash-dot readers.

To kick off the promotional offers, we're having a contest drawing on March 1st. The winner will receive a VA Linux Systems StartX SP Workstation with a blazing 400MHz Intel(TM) Celeron© processer, (approx $908.00 value)!

Five second place winners will receive a Linux / Slash-dot gift pack, including a "Debian GNU/Linux Box Set" and "Slash-dot" t-shirt (as seen on Copyleft.net), an estimated $40 value.

Remember, this contest is only open to registered Slash-dot users. Look below for instructions on how to enter.

In other news:

• Slash-dot will most likely be "revamped" with a new look and feel before the end of the year. A series of polls will allow registered Slash-dot users to vote for the best-loved features.
• Rob Malda, also known as Commander Taco, will be writing for a new column on the VA Linux web site where prominent figures in the Open - Source / Linux Community will bring you the latest news and insights on this hot new technlology. Our first issue will feature an interview with Ian Murdock, creator of the popular Debian Linux distribution.

I must apologize for referring to Mr. Malda as "Captain Taco" in previous statements. I received over a dozen letters from Slash-dotters like yourselves informing me of my mistake, which brings me to this point: I encourage you to let me know your opinions (and correct me if I misspeak). Within a week a special e-mail address will be set up for this purpose. Only together can we make VA / Andover.net successful. Each and every one of you is part of the team.

Please look for my new weekly newsletter, starting on February 18th!

Sincerely,

Larry M. Augustin
President, Chief Executive Officer and Director
VA Linux Systems

***"VA Linux/ Slash-dot Giveaway" Contest Instructions and Rules

How to enter: The "VA Linux / Slash-dot Giveaway" contest (hereafter referred to as the Contest) is open to all registered Slash-dot users. To enter, send one e-mail to "service@valinux.com" with this text exactly in the subject (without the quotes): "SLASHDOT GIVEAWAY". The first line of the message body must be your registered Slash-dot username. Notification of winnings will be sent the e-mail address on file in your Slash-dot user profile. You will not receive a confirmation e-mail when you enter. Please do not send multilple entries, as they will be discarded, and e-mail abuse ("spamming") may be grounds for Contest disqualification and/or removal of your ID from Slash-dot.

Prize drawing: Winners will be drawn from all e-mails received up until the cutoff date of 1 March 2000 at 00:00UTC. Winners are randomly chosen using HotPicker(TM) software. Winners will be notified of their status by 5 March 2000 by e-mail containing a confirmation claim number. Prizes must be claimed by 31 March 2000.

Prizes: There is one (1) "First place" prize consisting of one (1) "VA Linux Systems StartX SP Linux Workstation" with 400MHZ Intel Celeron processor, 64MB RAM, 6.4GB hard drive, and the VA Linux OS v.6.0 Software Kit. A 17" monitor, keyboard, and mouse are included. Five (5) "Second place" winners will receive a "Linux / Slash-dot gift pack" containing: one (1) Debian GNU / Linux software box set and one (1) Copyleft "Slash-dot" t-shirt. Estimated value of "First place" prize is $908.00**. Estimated value of "Second place" prize is $40.00**.

Disclaimer: VA Linux Systems assumes no liability for e-mail Contest entries not received. The Contest is not open to employees of VA Linux Systems and Andover.net, or their immediate relatives. VA Linux Systems reserves the right to reward alternate prizes of equal or greater value, defined by the value estimates stated above. All trademarks are copyrights of their respective owners.

Other: Note that the Contest is not mentioned on the VA Linux website. To receive a printed copy of the Official Rules, send e-mail to "info@valinux.com" with your mailing address. Please remember that because the Contest's short entry period, you may not receive the printing Rules until after the cutoff date (as defined above).

** All values are in US dollars and do not include state tax and shipping charges.

Where does one start?

[Boone^]

The Internet is becoming commercialized to the point where security break-ins aren't just about replacing someone's homepage, it's costing companies real money due to their e-commerce portals being down. Where should the protection start? Are changes needed to the servers, the various routers, or the Internet Protocol itself? Based on the fact that the Internet *probably* isn't going to go anywhere for a while, what is the best long-term solution, and not some quick kluge?

recent DDoS attacks could be...

[Turgenev]

The Chinese ? The Serbs ? Iran, Iran... The Taliban (nah, to dumb). Slick Willy the unindighted war criminal has created, in his 7.5 years of destruction, a lot more people around the world who hate America, Americans and American companies & institutions. This may not be some silly little kid sitting in his bedroom laughing his butt off. The FBI is gonna catch the bad guy? Yeah, right... same as the Taliban.